23542300x8000000000000000276851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.691{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2902232CE9D365E98A45C6EAE573851,SHA256=7D92D040751A00B734CF012B2988C7B6C5155DABC7114FB6D2544384C8717360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.591{F81F30E6-F3BF-62DF-7504-000000006F02}65006896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.407{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.408{F81F30E6-F3BF-62DF-7504-000000006F02}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:35.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436EA6607C38211854C04672CAF74C03,SHA256=0973402C0CCA60D3ED4DB075D2F6436E69E5620A9E305DECED80510F15FD0BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:35.348{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-108MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.261{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1300-000000007002}760C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:36.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D75819FC72A5F1F7793651B829E1ADC,SHA256=541B42CB4447EA5B441C3D1034ACBE7510620F9CB3D8376A3588B792FA457642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.474{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8915943F61DD46D3D6BEAC42ABAA27FF,SHA256=99527D1C48CD8E88E3BF0B9E514B5A69B9DC635AADDFACD8E7ED08C52ABFB8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000276860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.360{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:36.075{F81F30E6-F3C0-62DF-7604-000000006F02}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:37.340{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAE280C87914964F2E2A1901C0A3B3E,SHA256=B19CE1667BE1DFEB4F0554DAE590503B261F0C0F38E4F4109CD67FD75AB2DD56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000276871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000276863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:37.605{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14201F468DBA4C5E2342AE9C4C39ED1,SHA256=5C596C0BCA9E66458C0C33536F45418589C570D392177A990E4240ADA7541B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000276862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:34.087{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64955-false10.0.1.12-8000- 23542300x8000000000000000276872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:38.642{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2834AF453B6590889F3CF2E6F2A11150,SHA256=B2E4719CE0A66FE37A2B1DDB8873E2D4D964C9CF3835221762060F92B7AA2900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:38.433{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A87E2BDA7813CE6343CBD844DA3564,SHA256=6BC2A88916BA8E2B5CF871434B4B2AFFF3A52F78EF8DD42F6F2ED457C0DA158E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:39.527{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DB2128A1FF3567C5A8AEABD4A5BCDE,SHA256=7C60D95E653C8BF776E673FAD1301AB78A0FB8730F3AADD0B8BEDFD851301E59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.985{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.985{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.943{F81F30E6-F3C3-62DF-8704-000000006F02}81362408C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-F3C3-62DF-7E04-000000006F02}69884576C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.932{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.927{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.905{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-F163-62DF-1F04-000000006F02}22646864C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.901{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.889{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-F3C3-62DF-7B04-000000006F02}77842404C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.882{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.874{F81F30E6-F3C3-62DF-8404-000000006F02}73963224C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-F163-62DF-1F04-000000006F02}22644128C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.862{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.858{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.842{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.827{F81F30E6-F3C3-62DF-8204-000000006F02}8040436C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.824{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.822{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.822{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8204-000000006F02}8040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-F163-62DF-1F04-000000006F02}22647084C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.795{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.788{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.757{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.741{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-F3C3-62DF-7F04-000000006F02}42526716C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.724{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-F3C3-62DF-7904-000000006F02}74566672C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.721{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000276957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7F04-000000006F02}4252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.704{F81F30E6-F163-62DF-1F04-000000006F02}22644664C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.712{F81F30E6-F3C3-62DF-7E04-000000006F02}6988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-F3C3-62DF-7704-000000006F02}48086368C:\Windows\system32\cmd.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000276933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.697{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000276932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.689{F81F30E6-F3C3-62DF-7C04-000000006F02}62724240C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7C04-000000006F02}6272C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-F163-62DF-1F04-000000006F02}2264536C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.674{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7B04-000000006F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.657{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-F3C3-62DF-7A04-000000006F02}11524952C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.642{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7A04-000000006F02}1152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-F163-62DF-1F04-000000006F02}22644804C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.638{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7904-000000006F02}7456C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.626{F81F30E6-F3C3-62DF-7804-000000006F02}41166396C:\Windows\system32\conhost.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.604{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.604{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7804-000000006F02}4116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000276876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000276875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-F163-62DF-1F04-000000006F02}22641576C:\Temp\dcrat.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000276874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.601{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000276873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-7704-000000006F02}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:37.286{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51024-false10.0.1.12-8000- 23542300x800000000000000053279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:40.621{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2514B8937F8A2C82A01472ECC2A570BC,SHA256=153DCF9013834F3E7D39790BBE1A7747FE8D037946C747DC267951FBD1B98CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.727{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D7DF994EC3E80261AC2A1F5BEBA1986,SHA256=AC99A09CAD4A316A5DEF878F3811BCEB139CA4796015DFC9177730D82CEEAAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.643{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9977CE023B7A6B32BEA6374AA6BF6ACF,SHA256=E1D947DA954435FD2DEBCFBF555ED4F3C7B4989650A96B53896D78007C27F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.643{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=028341CDFD6DD76ED7EFFD38B58FD10A,SHA256=C621F27787B5B40744FEE9A167B333164A0ED33D1170C03DE718F97D1865CF67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.574{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.558{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.543{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23349B59B789BFACC43446BE0713F1B,SHA256=FF72A52A87F61E963233B30CEFC23FED3DB9397FD772CCFC3D9E859CA2F2C0D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.527{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.525{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.505{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.474{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.458{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.427{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.421{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.405{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.405{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-F3C4-62DF-8904-000000006F02}41648112C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.398{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8E04-000000006F02}1860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.390{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.374{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-F3C3-62DF-8604-000000006F02}19247832C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.364{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.359{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8D04-000000006F02}4636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.343{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.327{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.326{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.326{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.323{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB24BC7956B7CCA04D1F8AFD5E6CEECE,SHA256=F53D431F43CA879A20FC74F0A36625B65FA29AB627CCB5128FE5D0BBB8211F39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.259{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.259{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-F3C3-62DF-8304-000000006F02}40725480C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.228{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.227{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8C04-000000006F02}4352C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.225{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.224{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.174{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.127{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.127{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.124{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.124{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.123{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.123{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.106{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB73A999A580F33212303ABE7845EE9,SHA256=66FE90707F53363E825D80658AC77A2ADCFD8F270829AD7A702C234C7482F118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8604-000000006F02}1924C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983FEEAB3BB369870DC33052D478EF11,SHA256=1083874963DF99C9A4D993C3FB5D59A11366F85CF079B401067244D071DB2A5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-F3C3-62DF-8104-000000006F02}78524020C:\Windows\system32\cmd.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.075{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C3-62DF-8104-000000006F02}7852C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.074{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8B04-000000006F02}7088C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8704-000000006F02}8136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66826BAFC88C8D468840BBA793B9FAF3,SHA256=FA8AAEC9158A2614DCF845C155AC7AB9C2310D639227780FA132ECCEC6B142C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.059{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C3-62DF-8504-000000006F02}8160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.043{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8304-000000006F02}4072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-F3C4-62DF-8A04-000000006F02}80287972C:\Windows\system32\conhost.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.027{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.026{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8404-000000006F02}7396C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-8004-000000006F02}3756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8A04-000000006F02}8028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-F163-62DF-1F04-000000006F02}22648128C:\Temp\dcrat.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.007{F81F30E6-F3C4-62DF-8904-000000006F02}4164C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:40.005{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C3-62DF-8804-000000006F02}3460C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.991{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C3-62DF-7D04-000000006F02}7108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:41.715{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1773ED5F1B0358AF42902AA9539DA7,SHA256=32095D5F29398D811EBE67EFA7B6EAD18293F6C8A7BE1CC39462169D6B93C68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.773{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E9FB544CE84846B158C08381CA80A7,SHA256=079A3159870E14ED2268DED2EDEB2C1DCB2811F20C2A9A1936895E281C7E5D52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:41.405{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:42.808{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C33AF63AF418F85BC20F03F2B218BC8,SHA256=328479A83200E31168DF136A53F36276F329BA34903FE134703F86707ABCB4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:42.825{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC47F653D861F7A9AA5F18B810A3C8,SHA256=36E06C10DA0C428A34D961CADF11DC3CBEE3A29138F2694B0CEB79DCB3586D53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:39.186{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64956-false10.0.1.12-8000- 23542300x800000000000000053282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:43.902{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C13D59989746AD2BFBB216E8B0FE11,SHA256=C7F51C4BF92BD8853A63B1F36E6D45FF77785C67E8D2EEE9A0EC91F109C13724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.944{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED2A210D8B5061AFFD8000AB9A589C8,SHA256=E719A3CCA336591FF973857E3A929EC8B83A7FA034488B7A2A3531F6C516B1E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:43.272{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:44.996{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C865C710AD8BD228A25807BD69C22DA0,SHA256=BEDC9C70686A53A793056C899E46EE528B15D0FF4E400DDF9E77F5B75232A107,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:42.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51025-false10.0.1.12-8000- 10341000x8000000000000000277344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.725{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.706{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.690{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.676{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-F3C8-62DF-8F04-000000006F02}66281068C:\Windows\system32\cmd.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.663{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.659{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9104-000000006F02}7728C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.644{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.628{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.625{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-F3C8-62DF-9004-000000006F02}80927828C:\Windows\system32\conhost.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-9004-000000006F02}8092C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-F163-62DF-1F04-000000006F02}22648164C:\Temp\dcrat.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.608{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:44.606{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3C8-62DF-8F04-000000006F02}6628C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.674{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34AB882CF35614A72C7836F1FCF1EE3A,SHA256=0B57A41614863CC7FEBD27CB5AF2A37B122A2C353CFF9186C81AD6195580C0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.259{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B20692087D9FA411651976186509A6B,SHA256=505EFBE5401571905E3A074E086DD123AD3FFC254FC8497C2B5BA918A53F08C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.259{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6BF11DFD7D6611E1ED5D637E9E3236,SHA256=89964AE4554933E4B760C848D2B877B88DB55CD7ACD6ECA80A634B342FCAACE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:46.090{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46659E21F8827006162F94F263E7A34,SHA256=0D95FBD14E179EC51F53822AD3A91831BB7D74946BECFCD08836A7C6341255F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:45.996{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=179B82772CA5CC0B7A1E30B10EC3DA68,SHA256=BB39CA45713EEF29F8964A50A9025571F90083A2F6169622A7CAAB4EAC5409CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000277348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:46.290{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512DAECBA5192F5A4350669B51066F69,SHA256=2CB12DCB6ECB53E2B1E296759C22E530F66BDC1AD6727C95AA9371A728620DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:46.052{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51026-false10.0.1.12-8089- 23542300x800000000000000053288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:47.340{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2071E6273FC109C8C495EDD4283C4369,SHA256=9BC5D9DD6450B71AB6470BF09E93691936378DDDC2C48E3B3C0BA6F8F51A9BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:47.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6EA0ECF4D53638C924A6B4644C1097,SHA256=8BC14896D1AD7D53BA1D09DBD9A5470DFE846D76844720441A8D6BACB4ED8CD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:47.391{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C912A7AFD93EBF090CBE4250E5251FE7,SHA256=98D847DFB5F6352F5C9DD9C130AACE944419068C495EA5E95D0B295FDCB98D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000277349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.132{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64957-false10.0.1.12-8000- 23542300x800000000000000053290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:48.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50CCE370BEA71EE31C35F999823F77C1,SHA256=8EB0474E92F9810A84B743B36BCB4148776AC959CA228295B7366C204C49E82A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-F163-62DF-1F04-000000006F02}22647940C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.977{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.962{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-F3CC-62DF-A604-000000006F02}70366612C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.959{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-F3CC-62DF-B504-000000006F02}33368008C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.924{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-F163-62DF-1F04-000000006F02}22642984C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.917{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-F3CC-62DF-A404-000000006F02}58446448C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.913{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.893{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-F3CC-62DF-B204-000000006F02}72287548C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.877{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.861{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-F163-62DF-1F04-000000006F02}22647380C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.854{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000277731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.846{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA76DF692EC20E0ABA2980461D17591F,SHA256=2E6B0430243768ADA0BDFF8392DBCEADE7001EE4090131BF5F288F9930C7035A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-F3CC-62DF-A104-000000006F02}58927184C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.835{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.828{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.828{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.824{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.808{F81F30E6-F3CC-62DF-AF04-000000006F02}78487764C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.793{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.777{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-F163-62DF-1F04-000000006F02}22643008C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.765{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000277703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B820CB67CC37F073FB8D59F1B95E3CCE,SHA256=17BD34BC0F7EAEE13F39FAF0F55FFD41E898199BD6242FD80C699CD32A1AE2B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.761{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.746{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-F3CC-62DF-AC04-000000006F02}75722816C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.730{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.729{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.728{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-F3CC-62DF-9F04-000000006F02}78921696C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.718{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AC04-000000006F02}7572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-F163-62DF-1F04-000000006F02}22646620C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.710{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.693{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.677{F81F30E6-F3CC-62DF-AA04-000000006F02}35325244C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.662{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.646{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.630{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.624{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-AA04-000000006F02}3532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-F163-62DF-1F04-000000006F02}22646824C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.609{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.608{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-F3CC-62DF-9C04-000000006F02}73326812C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.600{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.592{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-F3CC-62DF-A704-000000006F02}47206860C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.561{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9DE6FFFE9BDE37D7DF413B341B9BC8,SHA256=6B43878FCD36972407C346B7BC058B8C0D96DA38C6B06F4731239BB5D0305047,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A704-000000006F02}4720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-F163-62DF-1F04-000000006F02}22641928C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A604-000000006F02}7036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.506{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.490{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.474{F81F30E6-F3CC-62DF-A504-000000006F02}10647560C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.459{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.459{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A504-000000006F02}1064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098479A0AACB0B2432AB623C079D5E87,SHA256=2B3C42775236097441AC7B9E51A50A4055FF7C58ED7BE12BD314797DBB140B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.443{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-F163-62DF-1F04-000000006F02}22646720C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.439{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A404-000000006F02}5844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.427{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.425{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-F3CC-62DF-9904-000000006F02}68287008C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.426{F81F30E6-F3CC-62DF-A304-000000006F02}7076C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.424{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.424{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-F3CC-62DF-A204-000000006F02}43005732C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.406{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A204-000000006F02}4300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-F163-62DF-1F04-000000006F02}22645436C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.398{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A104-000000006F02}5892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.390{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.375{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.359{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.359{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.343{F81F30E6-F3CC-62DF-A004-000000006F02}79447912C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.328{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.326{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-A004-000000006F02}7944C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.325{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.325{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.323{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.323{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.322{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-F163-62DF-1F04-000000006F02}22644884C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.319{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9F04-000000006F02}7892C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.306{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.290{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-F3CC-62DF-9704-000000006F02}28522872C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.284{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9E04-000000006F02}6576C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-F3CC-62DF-9D04-000000006F02}78762540C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.275{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.259{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.259{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9D04-000000006F02}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-F163-62DF-1F04-000000006F02}22645136C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.257{F81F30E6-F3CC-62DF-9C04-000000006F02}7332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 354300x8000000000000000277476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.609{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local138netbios-dgm 354300x8000000000000000277475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:45.609{F81F30E6-D978-62DF-0100-000000006F02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000277474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.244{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D8AF32550175F831EB7818FC6A9E5E,SHA256=70D2F0E6E7E56CD5C371D62B6D9BF1B4089B879F00936BB0425D9A7CCB6E35B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.228{F81F30E6-F3CC-62DF-9B04-000000006F02}11324524C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.226{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9B04-000000006F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-F163-62DF-1F04-000000006F02}22647188C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000277439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-F3CC-62DF-9404-000000006F02}49486928C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.207{F81F30E6-F3CC-62DF-9A04-000000006F02}6844C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 154100x8000000000000000277437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.207{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.206{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9904-000000006F02}6828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.190{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-F3CC-62DF-9804-000000006F02}12407176C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.175{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.159{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9804-000000006F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-F163-62DF-1F04-000000006F02}22646168C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.150{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9704-000000006F02}2852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.144{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-F3CC-62DF-9204-000000006F02}72608036C:\Windows\system32\cmd.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.142{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9604-000000006F02}7732C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.128{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.124{F81F30E6-F3CC-62DF-9504-000000006F02}65563716C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.106{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9504-000000006F02}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-F163-62DF-1F04-000000006F02}22644360C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.094{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9404-000000006F02}4948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.090{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.074{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.059{F81F30E6-F3CC-62DF-9304-000000006F02}72686012C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9304-000000006F02}7268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-F163-62DF-1F04-000000006F02}22647452C:\Temp\dcrat.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.047{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.043{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-9204-000000006F02}7260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000053292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:48.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51027-false10.0.1.12-8000- 23542300x800000000000000053291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:49.261{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A3CAD071F089662574C3E2DB026D19,SHA256=547D10F0034AE7B8D0E0F73227383EA89D96226BA3C63808C4EDF72F6273B797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.708{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.692{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEDBD48FF45B48D02AA079DFA954790,SHA256=19379134F146547C8954AE6468C17B27DC83713D528C656CBD72B3E0B60F17D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.676{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.661{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.645{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.629{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.626{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.625{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.625{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.624{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.608{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.592{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.577{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.561{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0514714657D0239DC68CD41FC60D483F,SHA256=365FC7C50EBD58428D25DB0AFD9F0360E5CC7B9FAB76ED3318106AD8B3218BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.530{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.508{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.508{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.492{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.477{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.477{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.461{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE6A41A68B19C87F232848D676B2BB3,SHA256=7D7F099264BA409C6912CACD28A7C06115527D929CAD720F74A35D6BFFCC526F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.445{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.429{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.429{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.426{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.425{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.425{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.424{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-F3CD-62DF-B904-000000006F02}8068292C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.402{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C104-000000006F02}2812C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.392{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.377{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-F3CC-62DF-B704-000000006F02}65605284C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.352{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-C004-000000006F02}1916C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.346{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.330{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-F3CC-62DF-B404-000000006F02}80206100C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.311{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.308{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BF04-000000006F02}6668C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.293{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E9E028E1473A5F2EF71BB6D204E0E8,SHA256=7CC4BDF43BBA877EA2608582F4D46BE53BD7DD6DB824940A9EB436DC1EC6C459,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.293{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B404-000000006F02}8020C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-F3CC-62DF-B104-000000006F02}61603680C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.263{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.261{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BE04-000000006F02}2412C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.246{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.230{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.230{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.229{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-F3CC-62DF-AE04-000000006F02}57163196C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.210{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.208{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BD04-000000006F02}6524C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B104-000000006F02}6160C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.193{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AD04-000000006F02}3400C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17013CD9505F500B03AC7A9F6C572C9,SHA256=CEA2E44B02A4A3183C2CA980F4F343F800C51785E41598D60EF19D72930B64AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-F3CC-62DF-AB04-000000006F02}71162544C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.148{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.146{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BC04-000000006F02}7532C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AE04-000000006F02}5716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B304-000000006F02}5212C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.126{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B504-000000006F02}3336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.108{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.108{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.093{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.077{F81F30E6-F3CD-62DF-BA04-000000006F02}47485292C:\Windows\system32\conhost.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332E3240FBD5B3E73CE85D1D01A1EE3E,SHA256=01AA95D2D301D73706FEF22C7F54CBE5B5AA1F9EF5E277802F14E14B043F826E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000277858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.062{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-F3CC-62DF-A904-000000006F02}43166604C:\Windows\system32\cmd.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000277851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.061{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3CC-62DF-A904-000000006F02}4316C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000277850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BB04-000000006F02}6536C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-BA04-000000006F02}4748C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000277842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-F163-62DF-1F04-000000006F02}22646308C:\Temp\dcrat.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000277841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.053{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000277840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3CD-62DF-B904-000000006F02}8068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-A804-000000006F02}6924C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000277833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.025{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-B204-000000006F02}7228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.024{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.024{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BD-62DF-9000-000000006F02}46887988C:\Windows\Explorer.EXE{F81F30E6-F3CC-62DF-AB04-000000006F02}7116C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3CC-62DF-AF04-000000006F02}7848C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B804-000000006F02}6520C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:49.009{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3CC-62DF-B004-000000006F02}4668C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3CC-62DF-B604-000000006F02}7216C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000277820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-F3CC-62DF-B804-000000006F02}65207656C:\Windows\system32\conhost.exe{F81F30E6-F3CC-62DF-B704-000000006F02}6560C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000277819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.993{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=375770933B088FA1013E9C17F7ACFA9C,SHA256=12DC730ED0C3CEF15E2072F184E79ED116E6C7FEA32581084F03B1ADA228E22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:50.355{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3E5DB47EDBD62BD6E00DA26BB59FC4,SHA256=7C55B0F1252ABE8A5C147534ECBA95FBC6935CF690D576AC20FF4C02D3415FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.544{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A078EC301729A89F3262E3F37616D8,SHA256=A25BDDDE3EECDE4AEB5D630BA7A31D945FE862966A47648619DE5B89EAEA44D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:48.005{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64958-false10.0.1.12-8089- 10341000x8000000000000000278109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.326{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.325{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:50.325{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D97C-62DF-1400-000000006F02}1124C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:51.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9006276A851E7C83A3BD26F1AFB619,SHA256=656237587244320087FA0D4602EC64BFD1EF70BE7E41BC4C133A3720F06C7F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:51.644{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5775AFC281C79AC34EE3F3FD5B8A54D1,SHA256=B1126DE326017D64AAC61CC7E161F4457D0DCDD595D2B776B50B49BBB5E19173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:52.558{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710A6E0B8E8D1436B94BFB6DE1F68FF0,SHA256=5AF01894F8403016877DCE48AEB7A67F4C6D9580029F4CB5E972BA5319AB3BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:52.783{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CE06839FE9C0E228E321BAA6D366B4,SHA256=9E1A1B2DA5C9E3D756BD6E215A3B783F6F02BB61D2161CF8DBAFE77E219AA4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:53.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D933B005FC6E19B3F44D6BE7CEFA7844,SHA256=7E97A369A83A009DF105D010F56ECB22CAB8F5C635466C5B0B1F243BB95216CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.881{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E86C3C000BA017AEF4F97FB9B3F80D,SHA256=3470F872B119CBF81E5761A47C8F4A9C683FCA33B5EC13078D0F86F237722986,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:51.037{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64959-false10.0.1.12-8000- 10341000x8000000000000000278115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:53.382{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:54.746{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B405D6364241CFCE252BA46A1B0A272E,SHA256=91476BA5BF17284D213619D4DB9B5AB762D72018EDEFAE08C587217D6634CD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:55.840{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E893732A2AB76C83DAA676938E75869,SHA256=CD4AB21ED636E11099850B5044006A152DDD44675600B53A91A36846972ED0FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:54.223{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51028-false10.0.1.12-8000- 23542300x8000000000000000278118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:55.012{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD703DD830F6C0F611526E355966BFC1,SHA256=DD07873AD3FCF7A0748F5BFF01FB30A1482DFDA6B06AB3488F908716E0D445CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:56.933{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C9FE0E32F33D7AADC72E2667C7FF8F,SHA256=102479084683AEAFE9BF1F5426A0567EBE6F183DCEC0839A340DE6B3DEDDF855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf100|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000278122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-D9BD-62DF-9000-000000006F02}46884812C:\Windows\Explorer.EXE{F81F30E6-DAB4-62DF-BF00-000000006F02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cebe1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80163E5BCD8)|UNKNOWN(FFFFF2A666167E08)|UNKNOWN(FFFFF2A666167F87)|UNKNOWN(FFFFF2A666162611)|UNKNOWN(FFFFF2A666163FDA)|UNKNOWN(FFFFF2A666162296)|UNKNOWN(FFFFF80163B71503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d296b|C:\Windows\System32\SHELL32.dll+11971a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.448{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF66f80b.TMPMD5=916C2D93B58C5CBAC8AC3098A059BFC5,SHA256=55953AB8F4BC753693EBC3ACF5A7C00D704055829032829763C3617710DD9C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.428{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\aborted-session-pingMD5=584D5F96DD30DE58A1219FCA89FB4F11,SHA256=C76D157142E28131F3FCF81F97167A99DB85FC8DCE313BF3DFA6DF27013F34AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4462653B8BACDAAE25F56F244D27ED22,SHA256=33BCCD9B0C754F6EF0A85F8D77889294B7ACC7C643428E8C71234E2273997E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:57.394{F81F30E6-DAB4-62DF-BF00-000000006F02}2464ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\e57grxtg.default-release\datareporting\glean\db\data.safe.binMD5=7B37D23C0EAC1D88C8C34B5BC6480FC5,SHA256=4FE4DCBB4B89D722AEC92CB2C236ECA859B1606C9D7733E9AC2324F5362B1D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:57.094{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B699782792EA2C1F8C7D2013141847,SHA256=7A261A24BFBD92F40C15CBB279702673282921596899991B9D68E8B342D9BF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:58.027{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86B11960781BD51D180E1BD7A069C67,SHA256=52FAE7780C75FFF910731AAAC92C5ACB8B1663242F0E7CC112868C87BEB46653,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:56.041{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64960-false10.0.1.12-8000- 23542300x8000000000000000278126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:58.193{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E4E251130618496B5EFBD5FC7031F7,SHA256=CC527006979D73C5E7C87A608EF2B27DB8DBAD764AC2928EB021265CD96A6130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:01:59.121{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD0C39DB1939809CA52E9A3D8399320,SHA256=D9186155C31A2E68F4155EDADD60F1180239E88B82F0CDA11E7293C6A238298B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:01:59.226{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94592D9E50DDA311F7BCB26DC4875746,SHA256=D9A8112DA4B066913247B87DD074F07DAB4921106893837292464AF6C733BB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:00.325{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E5ADA1085CDCD240531DDF83076C82,SHA256=1D6E431CFF2856424D2CEB2F0E6C18B56139D8F0DE59DE1D01D7167A03232F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:00.215{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C56CCFE8FDB9211862A24A530614457,SHA256=B8C5CC470AC6DF9FBCE5BBE09CB2DEFF9A61B326F965BCC3AB59658C2ED59917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8427640B4DF5D0F9F8623C7595A7277,SHA256=FE7A34B42E41947270C84BDD39CD7AF3C958B051FB6202A2D5BF68DC4FD46161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.345{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6A929628F37CF38CC47CBE83CD06FB7A,SHA256=91F5D2B73795D0B93AE7C4934BEF5D8539BA75A3EC90EB6B87780016EA8023AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:00.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51029-false10.0.1.12-8000- 23542300x800000000000000053304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:01.308{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78A83400F4D4AB2829175B479FD7E7E,SHA256=7DB0691793FDEBCF0ACE32CE2A21CA505786050DEA39D026E4F8571AF831D50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:02.475{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC805D9C96042720F80B373AD43C9415,SHA256=BE4AED077D8F30D673CB0036B7D04E4C19376E0E5BB32FE3B95757412D97A4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:02.402{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADB2D434C86DC17696C68CCCF5A5506,SHA256=11C4157E1D267009163DBEC952BE16E5DFC539788FE6C0C440B4D1B25FE6ADCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:03.496{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EA8EC6CB640CE9CAD35287D44F3350,SHA256=BC044935040C24159B2FF213C2DE97D1AC4D4033556181BB3AEB0629FEA47462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:03.777{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11C276117F01579D623CD5C42AB79E1E,SHA256=09AA8B6E24D4207392933C09333FE951E6514C33AA927490DC40DC1C2E177018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:03.606{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B871CC8300220085B9FFCD91127B6E,SHA256=5AF8B99548D58BD46236D0BAA635C7894587ADDEB2EB42A5FBF12366F763084C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.219{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64961-false10.0.1.12-8000- 23542300x800000000000000053308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:04.590{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F0C789915DC3977DF50E9269C15945,SHA256=E65744B6F54C091EDF42DB59D208832A3FCDDB6F53B2058F7C08909439452A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.718{F81F30E6-D97A-62DF-0B00-000000006F02}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64962-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 354300x8000000000000000278137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:01.718{F81F30E6-D98A-62DF-2600-000000006F02}2568C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local64962-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-502.attackrange.local389ldap 23542300x8000000000000000278136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:04.594{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97DA17D6BDEBB421C691F80078F37BAC,SHA256=A0F3B4D6C2C6A258D4B1B650D3774FE4F8CF6EB81F7DBDE943D77AE412F6D0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:05.683{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C162010F3C067A6BB7F1520DAFE29D,SHA256=9D05FF6FCAB97BE81C61470EE63FFDEB3BCF6182D03FDE166B390F73A1A53A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:05.626{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBF2F3D5FF4EB3AF0BCA2BE1C4744AF7,SHA256=9580218DE68354E1AB117E28612818BDE35FE09450682D91A8F21872035FA12A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:06.777{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DCBB94D5405A32487B5B8E1449A0651,SHA256=FE41259BDB5A4327892E10618AA2E68B652F6513E0C8591E6A46B94BF2C8144B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:06.668{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50253AD917B03DE9077948B9377CAC17,SHA256=31FE634510DDBC1D8B55131EF054995EE55654BBC8B61B93364497996B892E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:07.871{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604320F66E474F70DFDE6CFE7F7C6C90,SHA256=A88DD06601B276C384C4D601626473C06189B872EA55663A8D834FEFB053B581,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:06.114{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51030-false10.0.1.12-8000- 23542300x8000000000000000278141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:07.713{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF6F8D09F787DD5C71B7006D0DAC6C0,SHA256=D4ECD4CB1E8C1FBBC189404CBDFA4B22AE4A8B626198E36B78FB41863A744F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:08.965{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F217C28C2BC06B625249B228610A1B,SHA256=EC4EC8218E4529690AF1925D0ACB730CAC9DC499B4FF7662BCC85A2281B8EE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.839{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC04A56DB2499CAEB762B6FE98A4790D,SHA256=EC4D79EAAC77405AD296CDDBED7BF4DE2A1AD888825FE6A1EE0750A223CC0D1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:08.557{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DA3F-62DF-B800-000000006F02}4908C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:09.974{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D538CFA391D05A4EE7ED3AE667579F07,SHA256=85C8CB0CD2D9F7C199F0EBAAF8C30E007BA5C73CD6284018A89E9D34D7A9ABED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:07.215{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64963-false10.0.1.12-8000- 23542300x800000000000000053314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:10.058{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C527A1D5E78A4843E5EBED76A9F552FC,SHA256=1CD8BC12D1677EF16459CDF10FCA2FA79094D0690A245BBA1A0D533563A44E9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:11.152{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC27A3F9F5FD58046051FB1C2B4BD402,SHA256=B4EB1CD6144B20182EA995C1B189D90DDC2CDF3DBF79691A7FED4F2EB6F6FD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:11.020{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16BE293AAD0717F58C3C2EE9AC84D245,SHA256=EACF7CADA51F1523B3309A8A102838A717866F031FD1C55775D56CB2EEA637C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.918{53069400-F3E4-62DF-8E03-000000007002}10524028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.746{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.747{53069400-F3E4-62DF-8E03-000000007002}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.371{53069400-F3E4-62DF-8D03-000000007002}656288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AFB8970FAF4FF231A9EAEA546A8F27,SHA256=0EC1E217BECDEAA5A152C979CA56DB589C2BA5A694D22C1CA84574090757865D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97C-62DF-0500-000000007002}412540C:\Windows\system32\csrss.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.183{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:12.184{53069400-F3E4-62DF-8D03-000000007002}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:12.056{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6740A9C99DB25043E6A115649125F0E8,SHA256=EE5D143D37DF958AA42EFC9BB55C333E4579EE4D1596ACF5E9ADCB0D73391AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.871{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.872{53069400-F3E5-62DF-9003-000000007002}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.511{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C07FEBB43CA1C2B5A7DE725776B1F3,SHA256=C851584E7FB3F8A1539E1D2CDCDA30AF4BDD1D68E7F69A5EBC245AEEC70384FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:13.101{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD7833826DC849FEF00A1253DF3799,SHA256=B84E105850F87A7D3C67A4BAFC651CD804CBEC017C03DC4DA030B7602D541610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.371{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.372{53069400-F3E5-62DF-8F03-000000007002}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:13.246{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3A5CCABEFD89ABA2A041F68C21DF2C,SHA256=EEAAAA745E15848D430603B54ED5BF8FA1A1A6EDD21ADD5D62F5E03C18E7AC03,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:11.333{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51031-false10.0.1.12-8000- 23542300x800000000000000053388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.652{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D17BC50FA381B5489A37761D86C63DB,SHA256=ED5557519D585D77E747B3E41B4B348E4544315923E6F1CF089B37B50BC9E203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:14.155{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF154A21EF915161BC91BF2B26E1A0D,SHA256=FDE2635449CCAE858A51702DB6401A9064D12BE6B1BFB76373698C98E0D0CF2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.511{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.512{53069400-F3E6-62DF-9103-000000007002}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000053374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:14.012{53069400-F3E5-62DF-9003-000000007002}33363624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.793{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.794{53069400-F3E7-62DF-9303-000000007002}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.668{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0ADA6F59852D2CE8A9D3E3FCAA00DD,SHA256=ABF95E6BF2B407CF6F55D392EA072512E5C0A7135744F660B342DE0F53B62BA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:13.167{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64964-false10.0.1.12-8000- 23542300x8000000000000000278157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:15.200{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0399AB257215AB22D9B1E713D642D211,SHA256=392C64CDFFA6F5F41891995AEF724A5B98C028E475DC4428731587C3924DCA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000053402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.293{53069400-F3E7-62DF-9203-000000007002}37643940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97E-62DF-2900-000000007002}27802800C:\Windows\system32\conhost.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0C00-000000007002}7401372C:\Windows\system32\svchost.exe{53069400-D97D-62DF-1D00-000000007002}1928C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000053391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97C-62DF-0500-000000007002}412428C:\Windows\system32\csrss.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000053390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.136{53069400-D97D-62DF-1E00-000000007002}19402768C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000053389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:15.137{53069400-F3E7-62DF-9203-000000007002}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53069400-D97C-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{53069400-D97D-62DF-1E00-000000007002}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000053418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:16.871{53069400-D97D-62DF-1E00-000000007002}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A337A82AD01F186E271F8277D5763F09,SHA256=64AAEDC42B628DA9F655497ABDB331431393BEE07E5EED2FD1AD43C24B0D6B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:16.761{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D8BD6E44C96E0FD339B4B819930635,SHA256=160A81EB3B7B2445C40813502C9FFDB799947B887713444A2FC7CEC6637EF1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:16.255{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAAA1CF1AF5293C4822A54A2BCC31B8,SHA256=261A98B7402F2BDE8009252448EB4A97989AB695BA88D494ABD70EEA9CB9D6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:17.855{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8F82ED16AE953C316E1AF987948791,SHA256=AB6C4E2991D8BA7DC96C4F973F4BA39C4E8C1A1484F3000C7AF37A75459A9413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:17.285{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E383BD41954DF4AAF57EC12D995DB6,SHA256=5DCC9BBC4BBC06E9BCA2E59CB76B79583F639C6B139FB5567E70330155E368ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:18.949{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CDD34EDBFEB49DD676938D3B020F49,SHA256=1CA001C1F0DE339E2D47850B820162EB4C4D2B6A7AF069A005D6F807DDA053F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:18.333{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8401AB64F693454EDF007D5F8B2FB2,SHA256=E3DEED04865197A115409B793D243D3BFD4AA6A8236CC976646237CE2E4719F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:19.433{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C55BF5D78F5F51EFA1A32E4695C153B,SHA256=E88F2DB93A84A31BFBE6614D43DBC384166767876DC7331676CC7E4F851462CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:17.255{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51032-false10.0.1.12-8000- 23542300x800000000000000053422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:20.043{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E9D43F4051F6CFB12685763B679612,SHA256=BE7E109E251C0D7F2F3C8C0BFBA1FA8849DFEE6F7E108F4EC2B2AD7A608189FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:20.467{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F27EFA5626792182CE5BA9F5F5B21A,SHA256=660D632A6552FF1D6C3C04CB155BC1C83BD1C6E50DE470302A0ECA47BC09FEC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:19.095{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64965-false10.0.1.12-8000- 23542300x8000000000000000278164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:21.513{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68B302A97EC3DF53FD9746F1058DEF0,SHA256=8D5B24F0A4537584F847A03FCC63B89097AA957F96568495174DF0C98236ABF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:21.136{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3B9B702593859C91D04963E5DDB127,SHA256=F16FFD680C5CDC3E1D4370E6AF3867FA5503C1EDF658BB4BFE790ABDD90DE9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:22.550{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D984FD12D8E74125B8E79B3674DAA5,SHA256=F34E8565050E967A1FFCD5EFA3FDF53F6FE67AEBAF44FAB5B131524D1544C775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:22.639{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\respondent-20220726120936-109MD5=F10909D358012860607A88999540BE61,SHA256=618099B8C52552D13629F748BAC7127C20F9D45615160D64360388A771E36D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:22.230{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230A487534FFF82E28FC6EC8534AD0F0,SHA256=DD50EE09FC430ACD67436DA445A4F3B1647CC859450226BF58426608A10F1F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:23.580{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FE6AFD54207A23BEB1DA6BA25B1C53,SHA256=3648E9EAFCAA5B3D1A2C1EB6246F3730A1D975F69D3E7C568CF6C6D3796FEA63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.651{53069400-D97D-62DF-1C00-000000007002}1896NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0923b0b66bc46ec04\channels\health\surveyor-20220726120934-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.323{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5059ADC98D22DDDE06FA55A4BB56463E,SHA256=83575CC88F0D185C8A67AB7BDD5CACA643E27EC946980D894D3D6D5E29775D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:24.628{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFB85AC53A714817E562C442AF4823B,SHA256=7DCEE76BC0572ED59E9243F0A8E7B5F29476CA6A3E2780E405A5CA4E18029EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:24.418{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC7C48742C843F1D7E5C02DDAE6D212B,SHA256=1BDEB675B1D964042B8135EB9D6B0375C5887EE2AED48B3F17A60B375A3C45F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:25.663{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9266AA328D2721C043D6C178FD0D2E10,SHA256=5D5D49947796A0B3B7E2D7244FC17A37309AE33D4E7F2920EEE4F2C10EB40C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:25.512{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B13381959014CDD48132BDA78D181F,SHA256=5022339BC86DA47943C3814C702219327CDCDA0F08BBBF58EEF47FD165621806,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:23.144{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51033-false10.0.1.12-8000- 23542300x800000000000000053431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:26.606{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA676CC876E65980987CBEDC6AD08516,SHA256=2D63D015E6BAC20648D8347BCA5D34CD9E99CF9E54C99D92F4DC42CAF2674DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.779{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5568105FBC03C9DD3E9F74BC13AC23,SHA256=671BCD7280CFDDAE3097146EEF6A6344B3DD60A9D5736165649FF31441896687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.278{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:26.262{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:27.699{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86198BE85EBF10CFBC34135483F0DA2,SHA256=C8E92FFCA70796E500F1FD275692750DE711E4982788C797757131C3643DD778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:27.795{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2DF2A4AE4EC2CCD945CE27F03241DB,SHA256=168D1C4646651804D2FA7DC540F3217D863E9C467A54456DB5745BB8911B2BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000278179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:24.190{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64966-false10.0.1.12-8000- 23542300x800000000000000053433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:28.793{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC09E33615F11A5DED1EDE149B83EEA,SHA256=89C61CAAAD668CB34ECDA7E26976F917EE8A456AA896D52450C5DF354CF06A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.964{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077BBE2EF5DCCA9575187EDFF2E921AD,SHA256=12AF2A5ED9BDF3D2E1E3218D6877C7CCD99541DECE85B55FD55DE05306A71470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.763{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.747{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.732{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.725{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.725{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-F3F4-62DF-C204-000000006F02}81807160C:\Windows\system32\cmd.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.708{F81F30E6-F3F4-62DF-C404-000000006F02}8188C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.694{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.679{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-F3F4-62DF-C304-000000006F02}58204968C:\Windows\system32\conhost.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.663{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C304-000000006F02}5820C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-F163-62DF-1F04-000000006F02}22643024C:\Temp\dcrat.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.659{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:28.647{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3F4-62DF-C204-000000006F02}8180C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:29.887{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CE84AC81448A035178CA8264B7171E,SHA256=070012C7A1223255D445B3F1ADCA8423597E76E0517743977F786B896211CC6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.850{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.850{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:29.712{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5497675E4256637248AC4C32944B4BF6,SHA256=AEE36CF6EA39D8DFC2BC57AC56E82C241DB46720C62F47CF64C940F4F0E937A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:30.981{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6175C9DC77CD87A726462A3833C457C8,SHA256=B3FC716ADA551D02A90AC8EFF741CC36D75D145D7DDCF49698C80C28E1DB2EE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:28.208{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51034-false10.0.1.12-8000- 10341000x8000000000000000278257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.580{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.565{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.249{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.234{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.012{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD0C3A60753557C792335263A965692,SHA256=62EF5ECF6636BFAE7903497F07080C377ACC30A40E5EEFE36BAF5808082143C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.894{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.894{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.663{F81F30E6-D98A-62DF-2E00-000000006F02}2780NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B1856292E6834D556F4B1FBDE93E45C9,SHA256=0EA511CCCB117E1A9981C0132981C6DB64E7CABC251128F89AD97AD8A2CE094D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000278258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:31.064{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C29427DEB6FA0382DA5A44A94A485E,SHA256=CA40BAD5B862F12B59B731E01858D79BB698CC11ACFCAB46C937161819EEE5A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:32.074{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3CC33AE435A9B94D2BCD5F8A6ED9EA,SHA256=2642DB76A60EEBE3E19901FDD1518D748557A7E6FBE09B56C40B3F55994490FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.928{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.926{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.925{F81F30E6-F3F8-62DF-C604-000000006F02}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000278275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.693{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.478{F81F30E6-F3F8-62DF-C504-000000006F02}76727768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.263{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D97A-62DF-0500-000000006F02}412540C:\Windows\system32\csrss.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.247{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.248{F81F30E6-F3F8-62DF-C504-000000006F02}7672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:32.110{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF58F043CEEC5F840D083DFB6EB58D96,SHA256=6664419A5ED18CF6BC26406193D30673E9846BEDB67233A4AF950CCB2AD75432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:33.168{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA1ACB968CF3099A22C48EB312C778E,SHA256=A85F168F424679FC1A72B66C7B19FCC4C0ACBB71B67016BF8C01BD74F2F5D9BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.462{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.464{F81F30E6-F3F9-62DF-C704-000000006F02}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.150{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D45B123125A94230F7A56224528DB7E,SHA256=9A2C5C0136EE11AC3C7B23A38A514C301FB81B44DF1CFE996DF2CE0D19C6169D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:33.150{F81F30E6-F3F8-62DF-C604-000000006F02}30848168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000278284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:30.078{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64967-false10.0.1.12-8000- 354300x800000000000000053441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:33.239{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51035-false10.0.1.12-8000- 23542300x800000000000000053440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:34.262{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54459C94FEB6913E517A660361985B0,SHA256=F4CA2F7A7D605E06304CD208D349B2ACC55569B87631D3A95FAEC0212A537794,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.977{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.961{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.946{F81F30E6-F3FA-62DF-F304-000000006F02}87248748C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-F163-62DF-1F04-000000006F02}22648656C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.938{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.930{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.927{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-F3FA-62DF-DF04-000000006F02}70047924C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.926{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.908{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-F3FA-62DF-F004-000000006F02}86328660C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.893{F81F30E6-F3FA-62DF-E204-000000006F02}82568260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-F163-62DF-1F04-000000006F02}22648576C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.882{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.877{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-F3FA-62DF-DC04-000000006F02}71885136C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.870{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 23542300x8000000000000000278734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.861{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF604104B052EDFFBFC79968FBE9F62,SHA256=217065C4514A4A8B9B6B69DA102907BE7FDD8AF5AE6C1A3004329284AEDFB958,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.846{F81F30E6-F3FA-62DF-ED04-000000006F02}85488580C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.830{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.826{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.826{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.824{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-F163-62DF-1F04-000000006F02}22648484C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.824{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-F3FA-62DF-DA04-000000006F02}70844128C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.813{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.808{F81F30E6-D97C-62DF-1000-000000006F02}448NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4B271AEAB9E3C3B620E053CB7D9480DD,SHA256=014C122EABA681E4152600DA5A857AD770BFD2F9A245D54DFCFFF0E4E0618CD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.793{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-F3FA-62DF-EA04-000000006F02}84688492C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.777{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-EA04-000000006F02}8468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-F163-62DF-1F04-000000006F02}22648392C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.768{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.761{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.746{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-F3FA-62DF-D704-000000006F02}70167856C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.745{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-F3FA-62DF-E704-000000006F02}83768404C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.730{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0E867D3E35CACB53CD6BAE9B23DE38,SHA256=15864B251C672611543DE2B620F26DF11ADAF72870B0C9812CC36E113CC90BF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.728{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.727{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.726{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E704-000000006F02}8376C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-F163-62DF-1F04-000000006F02}22648304C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.709{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.708{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.693{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.677{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-F3FA-62DF-D504-000000006F02}63845132C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.674{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-F3FA-62DF-E404-000000006F02}82928320C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.662{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E404-000000006F02}8292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-F163-62DF-1F04-000000006F02}22646824C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.646{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A9CDAC542A508FA28EFB7B46C9DCB4,SHA256=C3F63A560BD62241C8FB6439329AB110C6D713859C5B431D6025BB3E55EDF36B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.630{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.629{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.629{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.628{F81F30E6-F3FA-62DF-E204-000000006F02}8256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000278586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:34.027{53069400-D97D-62DF-1100-000000007002}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5BE9FFD5A750BB034D19294D9BF3BCA5,SHA256=2D9BDD234D74A1CA5E6B5203B77188527BDA2A91C60AE566769811A1F1480C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000278574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACA3E2DA0189E661BDD789422DA4D72,SHA256=2ABFCF95AF035F5D51E1671F62FA49B38E4CFA4357F273A9893ABC112DC52F74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-F3FA-62DF-D204-000000006F02}67766496C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.613{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.609{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-F3FA-62DF-E004-000000006F02}77688216C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.593{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-E004-000000006F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-F163-62DF-1F04-000000006F02}22647380C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.589{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DF04-000000006F02}7004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.577{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-F3FA-62DF-DD04-000000006F02}19285620C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.562{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F3FA-62DF-D004-000000006F02}2820372C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.556{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DD04-000000006F02}1928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F163-62DF-1F04-000000006F02}22644360C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.546{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DC04-000000006F02}7188C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.530{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.529{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.528{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.528{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.527{F81F30E6-F3FA-62DF-DB04-000000006F02}68646168C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DB04-000000006F02}6864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.509{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F163-62DF-1F04-000000006F02}22647320C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.508{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-DA04-000000006F02}7084C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F3FA-62DF-CD04-000000006F02}25522560C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.493{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D904-000000006F02}6420C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-F3FA-62DF-D804-000000006F02}52967096C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.477{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D804-000000006F02}5296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-F163-62DF-1F04-000000006F02}22647672C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.469{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.462{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D704-000000006F02}7016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.446{F81F30E6-F3FA-62DF-D604-000000006F02}35043100C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.431{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.430{F81F30E6-F3FA-62DF-C804-000000006F02}67365888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.425{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D604-000000006F02}3504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-F163-62DF-1F04-000000006F02}22647392C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.413{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.408{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D504-000000006F02}6384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.393{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-F3FA-62DF-D304-000000006F02}965744C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.377{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-F3FA-62DF-CB04-000000006F02}70565248C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.373{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D404-000000006F02}3052C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.362{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D304-000000006F02}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-F163-62DF-1F04-000000006F02}22643452C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000278398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.351{F81F30E6-F3FA-62DF-D204-000000006F02}6776C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.346{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.330{F81F30E6-F3FA-62DF-D104-000000006F02}32966356C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D104-000000006F02}3296C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.308{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-F163-62DF-1F04-000000006F02}22647496C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.305{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-D004-000000006F02}2820C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.293{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-F3FA-62DF-CE04-000000006F02}42367092C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-F3FA-62DF-C904-000000006F02}12766820C:\Windows\system32\cmd.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.290{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CF04-000000006F02}8108C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.277{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CE04-000000006F02}4236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-F163-62DF-1F04-000000006F02}22647384C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.267{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CD04-000000006F02}2552C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.262{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-F3FA-62DF-CC04-000000006F02}80566472C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.246{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CC04-000000006F02}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-F163-62DF-1F04-000000006F02}22647692C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.238{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CB04-000000006F02}7056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.230{F81F30E6-F3FA-62DF-CA04-000000006F02}65928064C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-CA04-000000006F02}6592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-F163-62DF-1F04-000000006F02}22641256C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.210{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.209{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FA-62DF-C904-000000006F02}1276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.177{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9475163694DC3BBB29B0A0DB41FD85B,SHA256=3A81575C15251AACF26A7D8593A0294F55965463CC831B76ED590361A9F1F80F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.129{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.126{F81F30E6-D97A-62DF-0500-000000006F02}412428C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.125{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.125{F81F30E6-F3FA-62DF-C804-000000006F02}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000279199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.976{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.960{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.944{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.929{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.924{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.907{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0944A9018660D55BC3F8CEC53CAC8842,SHA256=1A83C5251B539CEB67353E4C9D4FC9F6B192BC7F59BCFFF587DAC7D37136B7D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.891{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.876{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.860{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.844{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.844{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC92B49440C47DA5D11F06313C8E5CA,SHA256=B11EE72131EEBF6F9954D26F3E09665948D3FC0BBCC4C2782E794547D5AE0FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.829{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.829{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.827{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.825{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.824{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:35.356{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94455F84615029FBBD46C460ED454CB,SHA256=7150F2525C650C3AA029576735CED2A310802F76C3A7C2F239639D27DC3A9B24,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000279145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.824{F81F30E6-F3FB-62DF-0705-000000006F02}9304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000279144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.807{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.791{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.791{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.776{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.760{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.745{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.729{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.728{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.727{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.707{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-F3FB-62DF-FE04-000000006F02}90489052C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.699{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.692{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.676{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.676{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.660{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-F3FB-62DF-FA04-000000006F02}89528956C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.649{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.645{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.629{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2DA3B3912D16AEE669C628952F85BE2,SHA256=F47950038A0EEB119CCA2CEBAAF6150FCE4FEAA350DAD0AB4BAF2F02D485CFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.626{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E31BB7D8B25AC5CDD46694ED3C7B1EF,SHA256=3E610AE936EE60F27E4BCCEA52FC30C8365D2C35C5F3B1002957FE23B20FFAF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-F3FB-62DF-F704-000000006F02}88648868C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.604{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.592{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.576{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.560{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.545{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-F3FA-62DF-F404-000000006F02}87808784C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.540{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.529{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.527{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.507{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.507{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.492{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.476{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-F3FA-62DF-F204-000000006F02}87168720C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.471{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-F204-000000006F02}8716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.461{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.445{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C48271FB219FD5CBD639D245BDB8C39,SHA256=86D2320D12B8537B8A5ABD3827601EF07F22670C0C403D4555F620CCE91576B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.429{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.408{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-F3FA-62DF-EF04-000000006F02}86248628C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.398{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-EF04-000000006F02}8624C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.392{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.376{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.361{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.345{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.329{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EB04-000000006F02}8508C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.308{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-F3FA-62DF-EC04-000000006F02}85368540C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.307{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.292{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6607AA6D19D3728C3C98A1B9049993B6,SHA256=6785DBEB411ECBC3134A0648E5A41C2763B97D4FFDD3A73C826AED838B412273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-EC04-000000006F02}8536C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.276{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.261{F81F30E6-F3FB-62DF-FF04-000000006F02}90569080C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.245{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.230{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FF04-000000006F02}9056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-F163-62DF-1F04-000000006F02}22649008C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000278938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.227{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.226{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FE04-000000006F02}9048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.208{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.208{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.192{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000278929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.177{F81F30E6-F3FB-62DF-FB04-000000006F02}89609032C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.177{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E804-000000006F02}8420C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-F3FA-62DF-E904-000000006F02}84608464C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.170{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.161{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FD04-000000006F02}9020C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D98B-62DF-3600-000000006F02}31323152C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D97A-62DF-0500-000000006F02}41292C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D98A-62DF-2E00-000000006F02}27803956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.149{F81F30E6-F3FB-62DF-FC04-000000006F02}8980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F81F30E6-D97A-62DF-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{F81F30E6-D98A-62DF-2E00-000000006F02}2780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000278906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.145{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34C4ECDEE3CB1090CDEC79140D18067,SHA256=6DE4DCE206DEB70179401FBFDD55D0F41F0432DE68DCB7963303DB1D05FAF77D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FB04-000000006F02}8960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-F163-62DF-1F04-000000006F02}22648900C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.138{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-FA04-000000006F02}8952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-F104-000000006F02}8692C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.130{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F304-000000006F02}8724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.129{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.129{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.125{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000278886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD28056C01EF07C7E46AC0648E2DCA3D,SHA256=FFD6D42D5A4530D4407DE3936E98129548259405A16445D9EA8EBFC9B5C9B2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000278885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.108{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-F3FB-62DF-F804-000000006F02}88728924C:\Windows\system32\conhost.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-F3FA-62DF-E604-000000006F02}83688372C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.094{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.092{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F904-000000006F02}8904C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E904-000000006F02}8460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F804-000000006F02}8872C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-F163-62DF-1F04-000000006F02}22648836C:\Temp\dcrat.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.078{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000278860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.077{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F704-000000006F02}8864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E504-000000006F02}8328C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.061{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-DE04-000000006F02}2984C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-ED04-000000006F02}8548C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-F004-000000006F02}8632C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FA-62DF-EE04-000000006F02}8600C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.046{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FA-62DF-E604-000000006F02}8368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-F3FB-62DF-F504-000000006F02}87968840C:\Windows\system32\conhost.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.030{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FA-62DF-E104-000000006F02}8224C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-F3FA-62DF-E304-000000006F02}82848288C:\Windows\system32\cmd.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000278827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.003{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FA-62DF-E304-000000006F02}8284C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000278826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F604-000000006F02}8804C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FB-62DF-F504-000000006F02}8796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000278820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000278819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.992{F81F30E6-F163-62DF-1F04-000000006F02}22648744C:\Temp\dcrat.exe{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000278818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:34.998{F81F30E6-F3FA-62DF-F404-000000006F02}8780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 23542300x8000000000000000279245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.893{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\respondent-20220726120948-109MD5=369DD308E953FB115558C25A87FA7436,SHA256=F8D888C61BEF90997E9DA9024DED7AC04FA2757575784335A529296D09245F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.875{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.392{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B3FB8FA1819203F0D95A63AD66A102,SHA256=AC4E0A5EE7E58A69D5CBB3F44BC28C561410B8DFB8A4E74B742DCA113D50F355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0605-000000006F02}9232C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.060{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0505-000000006F02}9180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0405-000000006F02}8256C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0305-000000006F02}8552C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0205-000000006F02}9208C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0105-000000006F02}9160C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:36.044{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9C8F61DF01CC442373C31F995DDE81,SHA256=4923D30BC02F339117C9769FDC525FF6E8A627640C5A4C4C7D5B12BFEA1B8260,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.991{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FB-62DF-0005-000000006F02}9112C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:36.449{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6691D697F58F16F35E196ADD3F554F37,SHA256=8279DE149006903D65C0DEF4C1078DB15A76B96243D97A74E8B9004D9B25BEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:37.907{F81F30E6-D98A-62DF-2900-000000006F02}2592NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f0cc84e036a5373b\channels\health\surveyor-20220726120946-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:37.543{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B9714A7C74D584ED93B2AE6156AB49,SHA256=21F099818ADAFB4CD473941DA8C079102BDFF2AFAB136FFC66850D806D086336,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000279246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:35.156{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64968-false10.0.1.12-8000- 23542300x800000000000000053444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:37.543{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95FBF2E3DAE7079E5410207509A3021,SHA256=8C53198F4F89BB299B8517130DA2EB74EF600F280F7920096B57AE96329055BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.705{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.674{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.674{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.658{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A73B770770CC1B06D872F41DB8A95B,SHA256=FB355A2F92AAEAA981CC4DC3CD44E5D569281DBD3524E91AA9016239CEF595D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.643{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.627{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.621{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.605{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-F3FE-62DF-0805-000000006F02}93609364C:\Windows\system32\cmd.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.602{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0A05-000000006F02}9408C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.576{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.558{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.543{F81F30E6-F3FE-62DF-0905-000000006F02}93689388C:\Windows\system32\conhost.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0905-000000006F02}9368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-F163-62DF-1F04-000000006F02}22649356C:\Temp\dcrat.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.535{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:38.527{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F3FE-62DF-0805-000000006F02}9360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:38.637{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837F674E92AA4A9428BBAB3144B41469,SHA256=40A824923C87C4FB8683488CF24F44F103326C3C08895069E77751D5147FE7D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:39.842{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000053446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:39.731{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D341CF8A5F72B68A71AF9A0447ECE8FC,SHA256=1A0F62F6F7EFA20CFD80E29F8BE61EFA963DD611D58B4E0967D5ADE45BF4C99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000053448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:40.824{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC13CA625731590C48C8B27BFDA181E1,SHA256=49A48B0339AB63F23CA25B58D8A0085A1E670648672C271A6B6E058BC730E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.972{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA700F7F2095E4FDB80009802754AE79,SHA256=98A1BB971173C31E4A572254657EF1FD76441083654AEAA3F9FEFD45A4D73D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.104{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53489EE9E960F1F71F23F9F40BD0353,SHA256=0E01A1BA72FF7C7FD644914AEFEB67C27D2D1690034D1399CF4D5DF5EFFB51CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000053447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:39.177{53069400-D988-62DF-6100-000000007002}3140C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-459.us-east-2.compute.internal51036-false10.0.1.12-8000- 23542300x800000000000000053449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-459-2022-07-26 14:02:41.918{53069400-D990-62DF-7300-000000007002}3208NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B58A2C7135518EFE0C79D7152570BA,SHA256=91F16108C2D738CC26046FFF66725CAC6611AC3AEBC21CE805865A1EB07F0F05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.989{F81F30E6-F401-62DF-2205-000000006F02}1001210040C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.973{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-F163-62DF-1F04-000000006F02}22649960C:\Temp\dcrat.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.966{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.960{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.942{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.926{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.923{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.923{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.922{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-F401-62DF-1105-000000006F02}95889592C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.921{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-F401-62DF-1F05-000000006F02}99409968C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.904{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1F05-000000006F02}9940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-F163-62DF-1F04-000000006F02}22649900C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.892{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.889{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.873{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.873{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB3999A1474FE1504C0CF02162538D9,SHA256=D1DC7A66417B77CB6F5BE5A6C658D685A13577C000F099967D54A10063135638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.857{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F5AF6E1FADA75B24055EA6E9B2A0E4,SHA256=6CEC3DC5F7A12E6381E952D52EA9DA5C5F8F80A3722E5DCB0F981ADE827CF1F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-F401-62DF-1D05-000000006F02}98689904C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.843{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.826{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.826{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1D05-000000006F02}9868C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.822{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-F401-62DF-0F05-000000006F02}95489552C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.821{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-F163-62DF-1F04-000000006F02}22649828C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.815{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.804{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.789{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.773{F81F30E6-F401-62DF-1A05-000000006F02}98089832C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1A05-000000006F02}9808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-F163-62DF-1F04-000000006F02}22649744C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.758{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1905-000000006F02}9792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.742{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.726{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.726{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-F401-62DF-1705-000000006F02}97209764C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-F401-62DF-0D05-000000006F02}95049508C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.715{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.705{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1705-000000006F02}9720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.689{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-F163-62DF-1F04-000000006F02}22649684C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000279438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.684{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1605-000000006F02}9704C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.658{F81F30E6-F401-62DF-1505-000000006F02}96769700C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.658{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1505-000000006F02}9676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-F163-62DF-1F04-000000006F02}22649624C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.644{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1405-000000006F02}9668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.642{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.626{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.625{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-F401-62DF-1205-000000006F02}96009644C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-F401-62DF-0B05-000000006F02}94609464C:\Windows\system32\cmd.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.616{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.604{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1305-000000006F02}9636C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1205-000000006F02}9600C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-F163-62DF-1F04-000000006F02}22649568C:\Temp\dcrat.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.594{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1105-000000006F02}9588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.589{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.573{F81F30E6-F401-62DF-1005-000000006F02}95569580C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.557{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-1005-000000006F02}9556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-F163-62DF-1F04-000000006F02}22649520C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.555{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0F05-000000006F02}9548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.542{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.526{F81F30E6-F401-62DF-0E05-000000006F02}95129536C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.525{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.525{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.524{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.523{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.521{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.520{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0E05-000000006F02}9512C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-F163-62DF-1F04-000000006F02}22649476C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.510{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0D05-000000006F02}9504C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.503{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-F401-62DF-0C05-000000006F02}94689492C:\Windows\system32\conhost.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0C05-000000006F02}9468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.487{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-F163-62DF-1F04-000000006F02}22649456C:\Temp\dcrat.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.486{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:41.472{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F401-62DF-0B05-000000006F02}9460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.972{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.957{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.941{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46884836C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c148|C:\Windows\System32\TwinUI.dll+7572d|C:\Windows\System32\TwinUI.dll+75303|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.925{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.921{F81F30E6-D9BD-62DF-9000-000000006F02}46886104C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.904{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.888{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.872{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-F402-62DF-3205-000000006F02}72647308C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.863{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.857{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3A05-000000006F02}10356C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.841{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6541909B6ACD29525795A679297FC354,SHA256=43FACE1E9AE23466F8FCD2BA7E15A8FB11372BD62C74CE8C270F2091F7EF1DC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.825{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-F402-62DF-2F05-000000006F02}81726276C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.811{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3905-000000006F02}10320C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.804{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.788{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-F402-62DF-2C05-000000006F02}74089348C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.758{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.757{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3805-000000006F02}10280C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.741{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.741{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1F3676CF8B3CB636DCAF66C15D7427,SHA256=CDD11130A4939590BC022AE4C424B9253FF4FCB65F0AE0CB700E73692C58084B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.726{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.724{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.723{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.722{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-F402-62DF-2905-000000006F02}1023210236C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.701{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3705-000000006F02}5056C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.688{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.673{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.657{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.641{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.641{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-F402-62DF-2605-000000006F02}1014410148C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.635{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3605-000000006F02}9908C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.626{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.623{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.604{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80C2230EE5268D5607091E50D87B85C,SHA256=472B327627D0A46D36FA70922286A83840DEA90DB31960203AEF6D209A9CDE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000279838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.588{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09575DC38C2F4768891BE9F4A41C2DD4,SHA256=EDA49FE36F1F115FEA78F4AE1B3AFA6CDA417585A6DB340A672F862E1FC95E8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.573{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2605-000000006F02}10144C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-F402-62DF-2305-000000006F02}1005610060C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.560{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.557{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3505-000000006F02}8656C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.541{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-DE12-62DF-7B01-000000006F02}6260C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.526{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.504{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2305-000000006F02}10056C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000279798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:40.231{F81F30E6-D995-62DF-7000-000000006F02}4060C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-502.attackrange.local64969-false10.0.1.12-8000- 10341000x8000000000000000279797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-F401-62DF-2105-000000006F02}1000410008C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.494{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3405-000000006F02}7392C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.489{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-F402-62DF-3305-000000006F02}69087384C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2005-000000006F02}9976C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.473{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3305-000000006F02}6908C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.457{F81F30E6-DE12-62DF-7B01-000000006F02}62606312C:\Users\Administrator\Downloads\dnSpy.exe{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|UNKNOWN(00007FF972E3853B) 10341000x8000000000000000279776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-F163-62DF-1F04-000000006F02}22647580C:\Temp\dcrat.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 10341000x8000000000000000279769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.454{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3205-000000006F02}7264C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.442{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3232752DC701416E919F46B081132E0C,SHA256=BE46ED05AEC07D708F7792A098F875BF74A69C91C588AFEE2884D28448B5943C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.426{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-F402-62DF-3005-000000006F02}6852216C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-F401-62DF-1E05-000000006F02}99209924C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.412{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1E05-000000006F02}9920C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3105-000000006F02}5180C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.404{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2805-000000006F02}10172C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-2105-000000006F02}10004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-3005-000000006F02}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D9BA-62DF-8100-000000006F02}38884056C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-F163-62DF-1F04-000000006F02}22644896C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.389{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2F05-000000006F02}8172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.373{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2705-000000006F02}10164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-F401-62DF-1B05-000000006F02}98489852C:\Windows\system32\cmd.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000279720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.364{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\System32\notepad.exe10.0.14393.4169 (rs1_release.210107-1130)NotepadMicrosoft® Windows® Operating SystemMicrosoft CorporationNOTEPAD.EXEnotepad.exe C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=BA78FCF8CA9D806C6C047357E31748DE,SHA256=34A07759492E31AEC2A009505FE8DFB50242375C4308AD4657B2872F4F75A077,IMPHASH=968239BE2020F1C0DAFFDCDBD49E9C82{F81F30E6-F401-62DF-1B05-000000006F02}9848C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" " 10341000x8000000000000000279719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2E05-000000006F02}8156C:\Windows\system32\notepad.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1C05-000000006F02}9860C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000279714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D99D-62DF-7A00-000000006F02}3908NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA34295B5E271885F5D6A76ECB7817EC,SHA256=D73C35D9862E44B28104FE9A99DADE8A91E575BD6CAFB5E6FFA609D6FA3FF0D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000279713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.357{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dbe05|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbd1e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dbce7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-D9BD-62DF-9000-000000006F02}46885320C:\Windows\Explorer.EXE{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bf4f|C:\Windows\System32\windows.storage.dll+13acd3|C:\Windows\System32\windows.storage.dll+1391ff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.342{F81F30E6-F402-62DF-2D05-000000006F02}6687448C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BA-62DF-8100-000000006F02}38882172C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2D05-000000006F02}668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-F402-62DF-2505-000000006F02}10096C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+54fdb|C:\Windows\System32\RPCRT4.dll+536ba|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7ea|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BA-62DF-8100-000000006F02}38884516C:\Windows\system32\csrss.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000279696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-F163-62DF-1F04-000000006F02}22649300C:\Temp\dcrat.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+16e7eb|C:\Windows\System32\windows.storage.dll+16e501|C:\Windows\System32\windows.storage.dll+16e14e|C:\Windows\System32\windows.storage.dll+16f3f0|C:\Windows\System32\windows.storage.dll+16de9e|C:\Windows\System32\windows.storage.dll+fce6d|C:\Windows\System32\windows.storage.dll+fd5ac|C:\Windows\System32\windows.storage.dll+fc910|C:\Windows\System32\shell32.dll+49cdf|C:\Windows\System32\shell32.dll+49b6c|C:\Windows\System32\shell32.dll+498bc|C:\Windows\System32\shell32.dll+10d2c7|C:\Windows\System32\shell32.dll+10d225|UNKNOWN(00007FF984B29B5F) 154100x8000000000000000279695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.294{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Local\Temp\wpigNgqS7W.bat" "C:\Temp\ATTACKRANGE\Administrator{F81F30E6-D9BC-62DF-96BA-070000000000}0x7ba962HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{F81F30E6-F163-62DF-1F04-000000006F02}2264C:\Temp\dcrat.exe"C:\Temp\dcrat.exe" 10341000x8000000000000000279694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D97C-62DF-1300-000000006F02}9563040C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2C05-000000006F02}7408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.289{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2B05-000000006F02}9304C:\Windows\system32\notepad.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281992C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D97C-62DF-1500-000000006F02}12281264C:\Windows\System32\svchost.exe{F81F30E6-F402-62DF-2A05-000000006F02}8276C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dad1f|C:\Windows\System32\SHELL32.dll+dc490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123950|C:\Windows\System32\SHELL32.dll+dc44c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+daf74|C:\Windows\System32\SHELL32.dll+dc420|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.273{F81F30E6-D9BD-62DF-9000-000000006F02}46884944C:\Windows\Explorer.EXE{F81F30E6-F402-62DF-2405-000000006F02}10072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-2205-000000006F02}10012C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-F402-62DF-2A05-000000006F02}82769352C:\Windows\system32\conhost.exe{F81F30E6-F402-62DF-2905-000000006F02}10232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.257{F81F30E6-D9BC-62DF-8B00-000000006F02}43324400C:\Windows\System32\taskhostw.exe{F81F30E6-F401-62DF-1805-000000006F02}9756C:\Windows\system32\notepad.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000279681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-502.attackrange.local-2022-07-26 14:02:42.242{F81F30E6-D97C-62DF-0C00-000000006F02}8522056C:\Windows\system32\svchost.exe{F81F30E6-D98A-62DF-2B00-000000006F02}2656C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af43|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5370c|C:\Windows\System32\RPCRT4.dll+35b04|C:\Windows\System32\RPCRT4.dll+34a1d|C:\Windows\System32\RPCRT4.dll+352cb|C:\Windows\System32\RPCRT4.dll+210bc|C:\Windows\System32\RPCRT4.dll+2153c|C:\Windows\System32\