11241100x8000000000000000242055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:47.881{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:47.880{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48767D89A9FFEB380D9CC714C390BFE,SHA256=33C71EFBA7ED6159BFF487C27822F956A6017AAADD8182F5609DEB09A6E851D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:48.884{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:48.884{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA33007DDD486027CCD24AF25BAE7D5D,SHA256=6728B087E36623DF23298CEB8BDD0CD715DF084BEC6660DE3D8F8FDF3681EFF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:49.891{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:49.891{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47603246BE5A7C198747262C269C58D6,SHA256=8A8B816C4BEF1887480EEFBF555EC03357347B77E817FA3CDE103FB349788232,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:50.996{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:50.996{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6EED035723F4265B5BA42095D91912,SHA256=B8FB99E6D40E059401F0D1D71902D4A6BCB155D4A655E90179F74AA5391D660F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:48.571{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:52.102{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:52.102{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCC93BADE4E00452694ED79F46DF401,SHA256=33E2D98335A6ABE5A82B72D278BA6B47A3D0AC71761B6F474B37ED6E034C6AA6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:53.107{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:53.107{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CAE5E51ECF61B29E0938BEA830850C,SHA256=BBC714F2418E029038E6FB84B981DD703747E040D18E783EE11FD943B3C5DD2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:54.211{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:54.211{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F4C6DCC5CEEF530C77293AF98E748B,SHA256=FF92D8CCE1957DB150E5840CC0B91C710E505674B2088FBD60EB3FFB3D199D76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:55.316{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:55.316{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB786E24B88F86E35E606061E1F1E10,SHA256=E1B95754753F51B7BC8B81D43B654B7055F3216F90EBC23CFDF175B1C77418D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:56.419{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:56.419{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347F5BFB620A66856B7F46836D11AAA2,SHA256=E56BF33AB3D4C81485C86C1E03C1667E9D1A6C6E3CB71E2D75257016DB79F0AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:56.118{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:12:56.118 354300x8000000000000000242076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:54.457{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:57.524{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:57.523{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0095ABF8FDB98F9C316007DE90E71902,SHA256=E99A572E99A2C6AF682A77F4544347ED905D01CEE7645CC847D252D4E82FCE6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:58.529{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:58.529{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42E8A40C5F4E3EC8F1B090874488264,SHA256=03D8997FB47C4E44A6CA91B8567603C01488726143EF0A63965DDFDF40F97A00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.632{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.632{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DE7C323E165D50841C23638888C3BF,SHA256=F108042E54D46271DADA2189C1CC25B58A67782BEDD491E1AF9BCB42C37171D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.295{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000242079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.294{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C5192700F7CD468C13913B4DF960EAF3,SHA256=4588F5F9CD6A8C126CBA8A3779FA5BE8ECE77404DE0151A459D9B7B6B285E73D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:00.736{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:00.735{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689B39B49D27C1ABFDFE5B5C15E5916E,SHA256=A731B7D7FF7BF83DD23BE6C7B830B3BA7F1F09D8F7EB6B41F2AD195EF0CC8B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:00.019{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=736FAAF56A5236BFF0096DFBA4B79825,SHA256=BCF134C318A7E1D8F3FCF9F9561763D653196CBCB15FDF60B20378892042D8B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:01.840{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:01.840{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB6B437076F5B4B501A00DD906B24FB,SHA256=BC4EFC592BE67C8AFCB9DD6C8E9911324BAAE51A122653815A2FD3E7D1A81B5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:02.845{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:02.843{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70C118F4A201AE87C4D404F45B8CCC9,SHA256=6F016D2A9449D3D7C6E484D169DAA7440B8C8641C9824339E0C40C6CED53E8E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.520{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.849{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.848{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9396EB8A28B24D135B11144AD27FBDF,SHA256=AFE7431D4129E8DA61F459660D5390B694E5110A5F405E77AD20962CFB8EF991,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.257{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000242091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.256{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:04.854{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:04.854{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8825C2F8EAE87DE182C0109FC94FB0,SHA256=4BF7A9639016686E2EF691779700288D36A3AF2CC6ED0A9093298ECCB6D07251,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:01.647{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57759-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000242099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:05.957{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:05.957{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FDF53484D6098DCEB27E014AD957C4,SHA256=ABFE23365E512CA5E35AC428EA8C0FF0D1C8F023375BFDCC37F001F407754E1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:07.062{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:07.062{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B394B6A6E5C3B5DE4E31C47EB5CE943,SHA256=8EA35902DA8383D28AB5925725298DF006BC6145E269BAEE71C2753F3C7ABED7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:04.604{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:08.167{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:08.167{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1170C897CB76E3E6143896757B749A,SHA256=DFDA6867061464408D7D48E7574C5C0DD23E47CF395173523CE14FA7E952B865,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:09.270{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:09.270{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2680CAC9C20596E190D3EF1D2E9046,SHA256=D3567DC093AFB24B287C351199CAFE97617ED06EF30B6E179341CFC928B5ADA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:10.375{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:10.375{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52175F9E2799303C2A8B53BBB7798EAA,SHA256=1E90CE7CD2D77AD2D8E31E213E4F7189E7E173D86EB1B4DB848E780F33A954F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:11.478{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:11.478{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418C980259D00395466687BB43B2363F,SHA256=DCD1D4ECF572FED61758464C753BE8684D41EA7E7546CC7C86ADC5A3E44FDC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:09.619{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:12.487{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:12.487{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1728B6CF76C8D72E8532769E198DBB,SHA256=B617D1A7D3A00A298D98806A70584CEB234C6AED518EB2891F43775C7C6D69C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:13.591{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:13.591{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7AA54248431035F17B2C55759E85AB,SHA256=6DDC31CA261D9544F312BD62C5293FE6F9F71269B46FBF33325D238EA516A351,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:14.601{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:14.601{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37A415CC9DC8BCE0F5559D074C36321,SHA256=FA8102799DF9F534DC82A5B05F96B714D5CC7AA68EEF074A61ACC2FC10D67131,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:15.705{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:15.705{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F066615830750CA217FA71645BED5DA5,SHA256=8A869FC4976F34DFD7AF74F4043E4B221787625FE8A9A69859938800C3DF5C7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:16.807{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:16.807{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E72098929C3DD3C6B5C6269342F7CB,SHA256=23A14AABE728487DB6F09AA7C0B6866DCBA07FFEF2063FF83BD40C84FF61B9DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:17.810{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:17.810{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230703FA5DD932BBC161071C531804C1,SHA256=03BA06D7E898EDB45F971499D01753ADF6D9265A17D19879248F38DA9CFDA6DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:18.913{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:18.913{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D65E5404F6BE9E2AEBFCC2BD3A8C815,SHA256=33E4CC1AED2221C044C2CC5A7E4101777327763BEB9F378FFB661C834BC4C488,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:15.445{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.919{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.919{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA86F6366817F018C1B0D9F7FD62E0BC,SHA256=3556F6F41C29FE509AB9C049D5D4566F784966A5152DD8067685BF0CEE3F314F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.471{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.470{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.470{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:21.021{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:21.021{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CF0EA76E8B33D22A458132B8CC105E,SHA256=E81DE19CE9A3826485D8252B88A4C9CF5D71CEB48022216B00F7D8F675564403,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:22.024{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:22.024{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6D6BD9C04DA7FDF8E2319B302A1DC8,SHA256=F3F5959BFB8FAB1F0825E855DAF082C9D8A48FCE70DA48C7D765305CB8721819,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:20.453{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57763-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:23.127{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:23.127{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE89CACC235AB35D542D746352DE2AC,SHA256=DD4437A89A576766B669747F8B2B5CEA97959F026FF4BFDE85259DE2CF06F28E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:24.132{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:24.131{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C708903F5755EBC8E812108F009E82,SHA256=96634943F1D6FC2B59C471E0A3F07D1872AF1BF9A7E83A05161E526EC36488F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:25.234{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:25.234{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10582A7568863DEBF8DA88F0BF14FD05,SHA256=C42826B522FA152F80C4B16C03554C77FBF59E8E3C1819F84D3AB04B42C569E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:26.338{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:26.338{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489E9BB19BCFE4E6BC14EB5975E6ED76,SHA256=43EEF8F5DFEEB561724A4C19B071FB1A2AF6FCE24C691FA8E294604F020B142B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:26.124{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:13:26.124 11241100x8000000000000000242147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.440{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.440{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F3CC6801C9BA544A3C4B871E8E6F12,SHA256=D9A1618E6ADE20033FA58AEA16FAE6340E6FB16C4BA86BB12AAD04BAEA1AEB6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:25.495{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:28.544{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:28.543{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BFB5123ABDDB1EA05BBB7D888611B8,SHA256=4B5C8B63C88F59062CABB8A397168C599E032F41A68FE736C4FAAA3F756A7554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.630{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.627{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.627{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.549{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.549{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5181DBF921850EDB4232B6C58CC933FC,SHA256=6A7F0A2C2C6915B039AB5DFBAB5A8C2EC6BC06C8B638C69782E580537ADEB4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.259{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB46760B9D11E39A14B2B4B70D8D7336,SHA256=117F79CDB41EB8858C7FC5900982C841122FC4462C6B4D8E0A1335ABF77C9CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.961{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.960{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.682{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57765-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.682{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57765-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000242173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.659{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.659{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9871252B1B4059B8330C80D255DB1E,SHA256=E2078F603A0D6740832978058D0A1EF228E5BE10692D876808E8D292EC12C646,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.390{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.389{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5EAB004D3DFDB783681C97EAF5ED28C,SHA256=431FE36977690FA18CBC4C51F0976A10128495878F5D6E5D632E5F8C0FED8DF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.294{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.293{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.293{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.767{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.767{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488A5E87F68500D0C465163E8D3079C8,SHA256=E2652C855114DF3A001F1FC68C25CF4B8A0D2E3524E88EB9F72988C4B615BD6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.128{8D845A55-231A-6260-B902-000000004402}42044332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.884{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\AlternateServices.txt2022-04-12 13:36:19.111 10341000x8000000000000000242203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000242200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\AlternateServices.txtMD5=4FA74B62D6387707C7CA607B916D152F,SHA256=A79A6807ABB75A8C2BAC2A79A5B8D41D794E24A562004803AFE17B0FDFCD6FBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.875{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.875{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6DB7B8566FA9CB53C939C8B4107192,SHA256=44BE4A3EA25E315363BE46BFBA7227CFE1FBD51AC19C0E0820C1FB284D1A820A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.416{8D845A55-231C-6260-BA02-000000004402}55485180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.207{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.202{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.202{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.986{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.985{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5453EF801B916FFFE55D8EAC54976274,SHA256=7ABB7D5C86E88A24BFC1855A69CCF1451A37D3E869ADD223274F3123624ADEB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.729{8D845A55-231D-6260-BC02-000000004402}19201300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.556{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.555{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.263{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2022-04-20 15:13:33.263 11241100x8000000000000000242211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.263{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2022-04-20 15:13:33.262 11241100x8000000000000000242210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.257{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2022-04-20 15:13:33.257 11241100x8000000000000000242209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.257{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2022-04-20 15:13:33.257 10341000x8000000000000000242208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.064{8D845A55-231C-6260-BB02-000000004402}4080972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.994{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.993{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE4B4A0978D573792E1F181FADCBADB,SHA256=16D444021FA0EA8F8DB23F83EEFD696E22CB24BFCEBCE283F4351B2266B60A8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.435{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000242231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.220{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.219{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:36.095{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:36.095{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D6F2E6B6EC535886F99AAA475329DC,SHA256=C24833686F583166D4038BF5434B79749EA095E5B0AC0D94D5B69EF604266BD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:37.203{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:37.203{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A8764BCA954946D306461BAA4B38A1,SHA256=4FC9DBDCEAA814B80073B91EC9EA063EDD67F1FA18828871866D43343ECFE114,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:38.308{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:38.307{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2163E2C46DA2374DF49F42A88FA4804D,SHA256=5BB9A6565ABC56AF5007F82C39111494B758C54AC65989552DB31AD853103B67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:36.514{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57767-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:39.313{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:39.313{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D145FC1940687DD4DCA16B2BC8C2736,SHA256=96726753FEA45B9C9A4E554C89EF1102F59EAC662686838FFD9F8F8065B523FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:40.416{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:40.416{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C6F131391B5C6EF62451294553401A,SHA256=BF64BDD23879AFAA2DCBDAFC8860BC3992989CFB924F987AA94A10D7A7E6E08A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.526{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.526{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB0FFF8AA8AB2A300E952F415AC884B,SHA256=32818A900177774D6442E168103F778869BC5114454EF7156E2F37FDB38DC84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.448{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-055MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.447{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0552022-04-20 15:13:41.447 11241100x8000000000000000242246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.446{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0562022-04-20 15:13:41.446 11241100x8000000000000000242253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.532{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.532{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9C69081F5B338F44C81A307BD69B14,SHA256=606EB313251C2C7B09A676CC373954813078060EC115DAE1D8D30C4D10849FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.447{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:43.636{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:43.636{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03743CF6CDE2C46746B48FB3017207E0,SHA256=5452F73DFD6479C300D95089EDA5C6D28EB8D83142DEEB741852993A5CA4140F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:44.739{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:44.739{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65227228CD741DDB13F9064764E64C1,SHA256=066FB135F0F1FC1C9C8C3EFD995FBFC79857EDF8EFD1086FCD250313CF4CC8FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.503{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57768-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.844{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.843{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA6FB2FD7A89178B87A39EDF974AD02,SHA256=BF95BE36FD64A2CC5788CC3C00A1BBFA571A5C049D151A7243867BD2B1095E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.268{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.267{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6F49DFBA80F17DD12EB5F0242AEB6698,SHA256=51700D8363F0AB6159135F908EE8D316AE85E2F5FA3D5728DB4D03F9D10F6751,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:47.150{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:47.150{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A842F8FB977B4EDD198089BB280DF8,SHA256=C1D785C60B500737953010DF6401FF75CF4A70A5D135B6D604156DD1C68BEABB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:48.154{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:48.154{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE05EB7CE7B0D362CC5B678789A2134F,SHA256=48D3728E439B0497EE84EC94CA2FD7A5612AAA51741B7C97D775DB242786E1C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:49.257{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:49.256{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A74E331253E2B982E0B6EE2240F5E0,SHA256=D1B2AD7981B2003678390750C28B2ACC053965BC4F99EA40E0338CAB828F23FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:47.600{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57769-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:50.261{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:50.260{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8668AC635B0B1437EA24A66C0ED4F8A0,SHA256=7F578F7CE7C8ABB34B3158535A60761241E7CB195005C1ECF9E8A06E6C69750E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:51.364{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:51.364{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A4E4E1C5CED08874069E6BF3506599,SHA256=4DD1382588DA1B98528EF97751AB64DB5E15F506387A082E7ABBA892552D0462,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:52.371{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:52.371{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47557355561B5CF6F30347118DE0397C,SHA256=B69BD22100B0224F73E5F4C9ED5469B197885A949F0BF9382ACB2B68CB98ADC9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:53.379{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:53.379{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCB11AA92FD8FEB803A51BC6B942DB9,SHA256=C3F554F74AE160A1D4698E107EFEAD4FD517FE300AB0B4719728A1D99481B787,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:54.482{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:54.482{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F1469826AD68F41B9B9C526EA8F678,SHA256=429212A30EF0BC73A03D66CEB5E2368C564D1A7B976413983F171D882E2320AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:55.488{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:55.488{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E86B138A9DC26AA4CAF1BC5FF06BB6,SHA256=174096F7DD2A3AAD638C16F1451AC68A32067EB9887DEC636A923F3EB83FF5F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:56.592{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:56.592{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E015FED7B6EA091C202D7372CC202C0,SHA256=5255B91B1A97B41CFA816434C333ED3C43A7865A416B2B7710AF621F268CEC29,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:56.117{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:13:56.117 354300x8000000000000000242287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:53.426{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57770-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:57.696{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:57.695{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F9B3A36437CE364F90ED66BCE18099,SHA256=68655EBB383854BE2212D95B287F1ECC500445C4F559748A3468FB87C5D4E2E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:58.700{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:58.700{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA24413B5C1C7BF4C0117994F67B7D3,SHA256=A132E427522E99C6B2919503AAE7EDEBB42EF6D5617828A052055AFA2181AC2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.805{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.805{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C54C43395940523C66E43D0D2B52377,SHA256=DA3C9DC21B2C167B4266D1B111B9C3279EA7C797E551CB491D6E1500111A176D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.289{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000242291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.289{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0003603650DDB72E2E32CBF848AFCDBB,SHA256=0D7D913830645F1F1811830A9DD35DA2478EA3832D3223C165A3AA9DA196507B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.267{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E4AB6C4DE9CCDA606079B265A90F22E1,SHA256=12F5BEEDC35EB7738EB9D029B831815CCD8B601A817FFD2A2394100DC7490107,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:00.911{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:00.911{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE1E5F09C7A04E3B6E026FD0A53E25,SHA256=C7C5C60CCE271518B8318DA0BDFA6D6D12A020E9523EDD924ED57FA2D9111FFE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000242304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000242303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00353e01) 13241300x8000000000000000242302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c0-0xe1545bea) 13241300x8000000000000000242301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854c9-0x4318c3ea) 13241300x8000000000000000242300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d1-0xa4dd2bea) 13241300x8000000000000000242299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000242298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00353e01) 13241300x8000000000000000242297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c0-0xe1545bea) 13241300x8000000000000000242296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854c9-0x4318c3ea) 13241300x8000000000000000242295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d1-0xa4dd2bea) 354300x8000000000000000242307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:58.430{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:02.014{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:02.014{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1700D73E7679A00FF807E153E7CC434,SHA256=69ECB9C55C17DF5A74410D42489A91E6E569EA206CB2B921C1DFDDB5FEB9F31F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.267{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000242312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.267{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.118{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.118{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098FDD32E58F28BE0A1AD161F52248A2,SHA256=33E72C8124B59F62FDC3596E350B3A96976CD7118D2DDF98BA69BABD293D8CDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:01.654{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000242315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:04.124{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:04.124{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4E1F3131A30C394328A1806E01B1D6,SHA256=7823D0C0FE2D64F292284EE7EBE438505867F4563AA871DEFB32BCB70743FAB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:05.228{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:05.227{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3071552BE9403BCA422A3844BFE3DFC5,SHA256=BA8BDD77CBD99A81D3A1D06DB23D8975630C8F399B9BFF2B6C6428791B393577,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.594{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:06.331{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:06.330{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B619A10E4AF0BED14298D4A8A384362,SHA256=CBD20CEB63C9AC6D2135BA7C4CCBCD90CC2D23E3E66B56C64D33219CA41C7977,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:07.433{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:07.433{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9ACC7D5737466252C60AAED174D461,SHA256=CD0FED43915598692FB0A63A3344E472C5EB07AB08D29600085719BAB0C312ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:08.436{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:08.435{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEA4D887971BA84D841D7C928B83E7E,SHA256=94D8237F169BDF7D29C5C6534192EF26AA467D234B56AC2FEE837662C6295B64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:09.540{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:09.540{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6596E92337F31F147455885E2160A0F4,SHA256=EC847CD3A86454BE42B89E25A15A193451C656127C5992500EBAE0E28C94AEB2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:10.544{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:10.544{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12DCAC2D493E308D77905E206B8B320,SHA256=DC908F2C537E22C6DE7C4CA8F8D11714EC3DF9275DC98792F22CD10161125DAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:11.649{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:11.648{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4499B50D9948D2A82458E0C1BBA56791,SHA256=E3E9C169297A566E25FC07DCBB277B2FCDECD23E1ADDC9F179B33E84D303820C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:09.499{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57774-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:12.752{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:12.752{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB45382134B277E73CF3A605385C7B65,SHA256=7EBC449BB36C3FA5466EF20C6D2EDFFCA86D0B1A80FA2418037466AD973881E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:13.856{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:13.856{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBDF1C28BE9BBFB52B180B21631EB1C,SHA256=8EF04865DDF277C4AB9555A00E1759E6A65231B0F7639F65A8530602CE803136,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:14.960{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:14.960{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A902D007A1637C1C602EC5AB55A992A,SHA256=6F68122676CBE1897311C0EE5F8B5640DE78D8C8E7A05804F000F1B257B42346,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:16.066{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:16.066{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA1476F2D1E98B496CB769C4CDCA3F2,SHA256=3CDF6AC844DD6A3E5E495788CE6219F1FBB478CDB6F2143CD1EE6CBD355B42C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:17.172{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:17.172{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6957029EF43E5B7CBE092EFE9A518207,SHA256=CC05BD5DC7422721A5492C232AE36A9E66C71B057761D8B489183D307596C451,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:15.463{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57775-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:18.377{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:18.377{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B54EFC9392E2072403DED5D3B245655,SHA256=D0F93E9D8BD6B96CDD55F3BC69013B15964DA8FCEDFB60D7C7AAD2232EB002D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:19.487{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:19.487{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12837D96ACB15E831D504527172026E,SHA256=FBCF347D9953B291B8DDC5202444F337587E6373CEB9A4BD4F2D660881778891,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:20.692{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:20.691{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6D3A6DE5CB0DF226CC7128DDE78920,SHA256=8C95F20733EDC7527D8A83CEB2C78A2E6866EF24DF54A0E47404239CD1E6237C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.888{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.887{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E0388D5B0B143249116801E45F029E,SHA256=18C9E250102BF7823D47850F04546A4027276188AA6910E51FF4038180810AE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:22.924{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:22.924{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8329B434171D8091105C8B1B419E58,SHA256=527333BA8F4DD2C28B217453EFF91D1D6ABFD9DA1241E831BA4B4ECCCF9C6328,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:20.543{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57776-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:24.027{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:24.027{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82D1E9F72943B14D9F4F5E6F90FA600,SHA256=1CF802229BC03E483D2F253DD1356C0AAC32E175EE8075E7305FBFA65CA72728,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:25.031{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:25.031{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FBACC8626BC41EAFA979706DBF84B8,SHA256=B0F85BA70E5BA05FEEA239562DCAE2195F552207712742F9F4BABDD48454943A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:26.135{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:26.135{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3549C9F1CFDD12899586261490FA13B4,SHA256=DD8CA6173057BEC4FE0BB36998E624B23CD04E817CC0AAB31A4C68EA6D4ED26A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:26.111{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:14:26.111 11241100x8000000000000000242402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.139{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.138{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD844BBACA9365B36FD6B6E8100A64B,SHA256=9816D8C7D3589D00AA7A1462BE4C142CB46029F6A724722F7E299A1ACD02268D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:25.574{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57777-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:28.153{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:28.153{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A9E52CB2ACE75279F83EB09F51D2F7,SHA256=B81ABB18C1CC42D4A360509C43E467D469E07D263F09BDDA9D2CA0817973C983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.520{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.519{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.519{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.519{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000242408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.490{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=45E84EE70F54E1802E45E73906E5D656,SHA256=8B650EDBD767884114BB01207E2DA9303EA8133631FF82D9708ED187DE6A8072,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.357{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.356{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BA87C0C7D09B366DBD620C113EC593,SHA256=496969DDCB0F96CA892EAA871F04DD634F593A846349FC0F207491D172A489F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.852{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.851{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.561{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED64A3B3DEAD20C4A9F96EA959D3E44,SHA256=5A2234AE8F55C8E09BA4CA4ABA39861D587A772D6B4C33D167150BCADDB81D37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.698{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57778-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.698{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57778-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000242426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.367{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.367{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9753B3A08B0FE6D62868B40EBC417E,SHA256=7A6B027FECDC894968E87FA0EFA4979BE0F589A623F608F5148B21DD456196A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.186{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.184{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.184{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:31.475{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:31.475{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7DE46674EABC6658F6C2CA900E8A49,SHA256=F755FF05A799149AE9C288868A55890E5F094D649A234D185FA6F247278E0802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:31.016{8D845A55-2356-6260-C002-000000004402}47125576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.804{8D845A55-2358-6260-C202-000000004402}42045116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.631{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.629{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.629{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.629{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.583{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.583{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304F717DD598BF880264811399609FEC,SHA256=1642911720A5B39AAAA5832B542E5CD885B9F7FD55D53E7B5BCF84900C998FAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.304{8D845A55-2358-6260-C102-000000004402}24124936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.112{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.111{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.111{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.961{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.960{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.958{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.693{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.692{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E1668C38BACCB5BEB8E5B67C6B82A3,SHA256=10D580DD38CCC5CC6682E55A8AEB7F9D3F62676F24ED809D7B00A9179AD40C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.637{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000242476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.637{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000242475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.637{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF35c0cd.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.636{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF35c0cd.TMP2022-04-20 15:14:33.636 11241100x8000000000000000242473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.632{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JLHY743R154XYCT760BP.temp2022-04-20 15:14:33.632 10341000x8000000000000000242472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.457{8D845A55-2359-6260-C302-000000004402}55481960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.297{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.296{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000242463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.012{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-pingMD5=8099A92A232F811C4173394B08D8B4E2,SHA256=AA6E5703C1DD5E3CC0B1E7EF4E4098396FF2CA448AD64170CF36BF44D0AD6CED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.006{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-ping.tmp2022-04-20 15:14:33.004 11241100x8000000000000000242491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:34.700{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:34.700{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B14600C9CE309673FECB41B83C3449,SHA256=131670AAE51B1E1DE535D4CB7C09187F60EF90A26EB004D427344D8BA8704040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:34.624{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000242488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.602{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57779-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:35.803{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:35.803{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7361BD302569560AD5C7D5F1FCE33E9,SHA256=341176E8A2C64AF7BC3F30E17984510ADF856C5C2AEBCEF4F1A39E6DAD39EB7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:36.908{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:36.908{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED0DD3DE047A0A0CC243D804C070B24,SHA256=1366827BD098A0487B02CE5B62D02480873128431778C203C98E70694CF13F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:35.636{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57780-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:38.014{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:38.014{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9556C6C8C9837B2CBE58EAD91F1F2733,SHA256=7CF240BD3F5B07F0F87E784A2BC11E7B7CD6544CCFD4F6DAAADF29A60D88FB59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:39.117{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:39.117{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8595CEE12529B45AF04C62FF5182C96,SHA256=BD943D740809A26855B377CB5F30F446D49D77446126D07E6173A6AB7A5BFFF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:40.221{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:40.221{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65527EA898D3AB8B6B14699D759773A,SHA256=D9FF0C77A9CDC6DC0615C6A72971F252E9B1C4E3316690B130092EB115960FBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:41.324{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:41.324{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78CCF522DCC1BCEA1CCF80BC3E442C0,SHA256=2F6B5F009FAFA8479BD3903DE9ADDACABBA27BD3C1BF64429D3F12143F6898EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.947{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-056MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.945{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0562022-04-20 15:14:42.945 11241100x8000000000000000242507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.944{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0572022-04-20 15:14:42.944 11241100x8000000000000000242506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.428{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.427{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D8BA1A142BDE07245DF3DD5701BA14,SHA256=0DCCD23E6C219FEB29A125245829DAB29522A69843900EC4103C5DB7AA7AE262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:43.946{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:43.532{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:43.531{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF45A2B39D10DC1CB46AAE516C2E3663,SHA256=2FA7FBF8F0F7E1378E99AF8459D252239293F4D82AED2D3B1CFF9B16DCF9C675,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:44.633{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:44.633{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAA990463D85B4C3D3056B0CC2D52FF,SHA256=4C51D6234929B026856BAE4A83DA18E1A72E8C08ED0E8C2D6AC498B3DBEAE31B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:41.456{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57781-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000242524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.793{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.793{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.793{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.788{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.787{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.787{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.787{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.638{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.638{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42903F0EBEE51E43196715FF6CDD48C5,SHA256=760B14CE6AE5F9BA0D9ABE04F7C31C9E551A64770EBD99181F92CD00CCD4F938,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:46.745{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:46.744{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169D66EB353C91C58DAD1B12B50CE328,SHA256=DC039EF3A8B90217E023BA2377C91EE41C3030B5749748FF33612BA96EC4B1AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:47.850{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:47.850{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3B5ADD3AF2269CD9B011C9A94A5523,SHA256=58EDDDB4CDA5E22539D6165F33997E78F0613BC327107FB8740BA357F4FE8B92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:48.956{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:48.956{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA221738CE8374E13C6FAE5F1AF55698,SHA256=5AF5345D936A3DF65268700D27F06AAB7EE95B3A4CE5107E9841D9E5DB5975B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:46.527{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57782-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:50.060{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:50.060{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A90D896CEBFAD2BA8760D890ABC5EB,SHA256=9D9838A5A571475AC63CDA6A98CED8C49D6FBCB7ADE2D1B5FF284D1E4B89D72C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:51.164{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:51.163{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED56F708F929A3C7A8570F9C9CBE193,SHA256=4197210C321B1ADCDE0D246CF16994689E54AB2AAE34406CDF5996DCB8F0D1E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:52.269{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:52.269{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5CF130F0B89AA333A6720805622DC8,SHA256=DBBC97B0E797C597D1855C20EACD25C596BA0B5EB6912438EE50E77C5E8C589E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:53.372{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:53.372{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631E8832097E66B6E20EA4AD61D544A9,SHA256=F85FB7A4E84EBD6ABD5EF01A9F261BB1DE027024F834A0434C46AABDDD429F35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:54.478{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:54.478{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE9456E7FCC4B376FF78422F111F908,SHA256=EF909B01C1D16CEC59F2EE7042618C91D749A6B3BA0BBB95959A6375CF95CBEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:55.481{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:55.481{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAF2A77878327EEBF9CF16AC55ED0A1,SHA256=EB8FB296D4C3BF50DC746CD15B14E6CB920A031076283E25C07890CD22D2247E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:56.586{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:56.586{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C933C87D9D1631A3C94ACE647D168B,SHA256=DE637126B77DCF93E8FFCD41F557245BE2404B2CE7D9A0C3544BA55FBBD4EBDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:52.457{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57783-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:56.113{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:14:56.113 11241100x8000000000000000242549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:57.691{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:57.691{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97137033B591D1699854FBD68AE51D76,SHA256=098BEAB69092EE4F46AAC6EBC0F5823855974933AE425C712B1BF2A3E83ECEB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:58.796{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:58.796{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2052A187D9DDC1031A237DFCE773B0,SHA256=928F1905D52FD1A3FF1A8758C030B391DF5EA76CB1172F8EA3BF8C1B107E57B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.900{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.900{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9BA99B168E661E40B3896BA052207D,SHA256=EFA843F61C0DB9A0611229003FA5CB4B5C6E0B852641688F26BF74092F9A1DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.668{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8DE5EEE8468403612A7F4F9159A25483,SHA256=CA5BE3B9B49268851DB33B75D3CC1B1152ED36E724B9C89ABDA4325A68D42A0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.284{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000242552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.283{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=00FEBE03566338F865C232F169349FD3,SHA256=AE6770A664691CD11D5D13A42E68C4F0312E1A1F60ECDBA1378E8ADA306562ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:00.571{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:00.571{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=336D57E60F20809DD02B30F826316D04,SHA256=8F13A8491C296BC5E22FC147F0C95DA6890D36F105C1188DF5FA0BD860DB7A44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:57.519{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57784-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:01.004{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:01.003{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610C69B199995090A01C7BA5B63B8740,SHA256=03D6B396B8F52547C4F5E14EC9BD709197B700EECFA228DA9905CDB2E79A3318,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:02.109{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:02.109{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3556FB8D54BD18529245C4C1D56BF8E8,SHA256=0497ECAFD326B300DAA0FBF1FFA4D4CFCF3BDCF9A044FFB5356FB04D51B955DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.278{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000242566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.278{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.115{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.115{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6B6DA527C594994022A09CEB3997D9,SHA256=9606C01CF12C9C8360A031AFECE1E2413F66313786D64BCEB5C865433AF64D00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:01.671{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57785-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000242569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:04.123{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:04.123{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4B204FE0BCE7ECB79D3C810923FA0,SHA256=E84889DDDE93C034469676927FBE9DF283FF4B2E1D3A55D1C9BA664BBCDAFC53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:02.651{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57786-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:05.227{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:05.227{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98920A55BE4AAE20F230A397E93EBB21,SHA256=DF8B14036A2A140C10806604E5109FC3C467F9C959F40E5019603BAA6164C051,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:06.333{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:06.333{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB28A0E9FF514BAABC9560592412D936,SHA256=7818E6EF700761F7131E6AD5F01F34FF1CFDCF67A94924FB9E6B3B15D8F705C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:07.437{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:07.436{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB75D939557176FFE0A82C011CFF3FF2,SHA256=3F9E8239380E9B3FF525AAEBF667A94008081EAE6E83909343249C19C351985B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:08.542{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:08.542{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E368BCA921046B31B9D3197032B04597,SHA256=83ABBBAE1FD0F2BA1E2ABA6FA9546C87492FB70D63DC17AA540E15B72359DE95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:09.645{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:09.645{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3121B7C231DC9965C90C42CBD2B5D4,SHA256=13199B1AD96DE90D5A86A91B29DD95DF89ED1A398F3038197E4961247780A418,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.750{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.750{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7136E973A1879012C7FA21921CACF0,SHA256=3B90867760861BDB638618AF6F6342F425BFA8271DD0CB9EF22193E3A1D20C34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.660{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.660{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=4F25B422168C89D611EEA5AB00FCC713,SHA256=876E8182F2EE0BCAAFE623CBE7C2882439EA48BF259324D3A666F01F32BBF68E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:11.756{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:11.756{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D291ABB1D14D663A2894C0FB774DF39F,SHA256=91DBB40194D1866F4675B6F2E559A042AD50342B98C0BE2C3E5A01DA60A991DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:12.861{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:12.861{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBAA366398B65F4B066AD0431BCB2BA,SHA256=5DF47D034F42BE72172BF9E093ADD364B2F370DB1071B90F4C7F585FA99DD067,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:08.483{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57787-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:13.965{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:13.965{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B906291DAEEC3D6A24E87CD848D83F5,SHA256=90498A8FFAD6D0CBC9165A1FADF58617A5FBBFDAFC16BC2DBCA83FA0530A5793,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:14.969{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:14.969{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6F20C248932B59862693E7EE6600DD,SHA256=323655AB092097A0169E0BC7AED3AE52FD390E8AE63E441D9D64354DBBB66E97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:13.614{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57788-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:16.073{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:16.073{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DEFC229CFAC645D78E308ECC0CBCD9,SHA256=D52C170604E22F85AE43BA39E55B857EE3031A87EDD710EDCC82E02A946E50FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:17.077{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:17.077{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EC3DBF6C810FE9FA02996EA96B2FB1,SHA256=5B6782FE3994922C527FF36C258EBE3DDF532C219EA7BC21BFFC39B570F317BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:18.087{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:18.087{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04CB78CB554F6F3D409237EF7C2CF16,SHA256=93285D81A203360BADFC0C964CEAA6D514FE067141E3B5DFE04FCA9D374708CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:19.093{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:19.093{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5237670CD1C261F878F94ACC10CE0F82,SHA256=C161276F82AF714E0215A2E0AA50E8E7E4D82E3DFFA51AF47FC7879E2D81320E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:20.196{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:20.196{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A601D533048EF94E434F3940032EE2,SHA256=CDB6B342604C83AD5E1C106C9C51C1CABDEE77B68E8DD99A9DDE7C54C721251A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:21.299{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:21.299{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34202B8B58EC496853ED6E7FFD07D938,SHA256=2E28FCBFF6611CA813EE8C73F6C7A59BC4810ABD9323F74906F45071D0D6D7A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:19.539{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57789-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.308{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.307{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD322E5D7A94F89D441B4C996BE4D72A,SHA256=EF594226F9195C65910F47555F53D3E391429425E8305CBB7C4BF72938EBDB11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.236{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.236{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=A03574B5C5AD20B2921118E2FECC8F89,SHA256=F1681E78856D0441E3FBC6055D4BF23FADEA0A3B9012D159A2BCC3CE3F613415,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:23.412{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:23.412{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF0600977EC06FE03AE34BA6CB8D861,SHA256=36CA2C98A2A8093B2FB620C7E09935C8FDFC22456360094841FE95F95CA65650,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:24.518{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:24.517{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2006020252C3C394DBFFCC173A59C239,SHA256=3DF4F154AC6C6FF470D23AF793CE6B9B5CC284679123ABCC501EAF5DB0FC98B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:25.622{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:25.622{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADD5528C38C501E7855086FCF4CBB1D,SHA256=B74844FC39ADC7ED89695B2A0049ED1C470722938D841938C1B03DC8FAADF6EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:26.627{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:26.627{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843DA2498ED38B516974275388696A79,SHA256=D64B0298E65A40E8D7483DABBBEAF80382AA9221B6415165C85AA7D1EC62BC78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:26.110{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:15:26.110 11241100x8000000000000000242623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.730{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.729{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C54249C4D6F2406975BB43D5880D8A,SHA256=F49C5D2F91EA918DCBEE359AE527CFA522310FBF5ED7F498589EDBC1E8729D1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:28.737{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:28.737{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75EB747FFFAF330FB21E1D5E44BE6CB,SHA256=DF3B777730474CD684548316BD07693F5380BC8B310D848E95CE7950918032C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:24.644{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57790-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000242637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.893{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=78F9F0082061DC1A39FEA26112F6AB3E,SHA256=2780B968258C03E21A05CA2E56CD64867B1C319716421F023FF4EC56264F8A03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.844{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.844{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675BE10CF740FE0FE2F176CDE03E75FD,SHA256=216BA1BF6B0565D0EC2181C36431C7EFB0097CED1BCA38EF6F0E7AF34A62934E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.514{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.509{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.509{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.507{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.888{8D845A55-2392-6260-C702-000000004402}59602480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.855{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.855{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3BE951327B964BA59E563DC7E290AD,SHA256=BEBFE83B0C588D90226C2327B80F5B368A2C1497232D53CBCF2E94196B8C40A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.671{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.669{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.669{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.669{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.711{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57791-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.711{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57791-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000242647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.446{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.446{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=377A407B178221DCA9F42B8850A3C564,SHA256=7FC09A979BFC972CCB2B1CDE217E5771D43DDEF0771623340D112C8C3959B2DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.153{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.150{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.150{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:31.958{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:31.958{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391DE6F79B3E89EBE23597095C6841BE,SHA256=B41183B8551ABE1D4069A09930C2B2F57E73AE43BD87C62B52BBE8152B16104E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.745{8D845A55-2394-6260-C902-000000004402}46762592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.572{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.571{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.571{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.251{8D845A55-2394-6260-C802-000000004402}12604904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.079{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.077{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.077{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.779{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.505{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000242691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.333{8D845A55-2395-6260-CA02-000000004402}23484104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.099{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.097{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.095{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.072{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.072{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6AF56B59392ADE67B1158AB3DA6FC5,SHA256=80DE62482966670B7CDDA1EFD6E5463CC815DDCE90415611D7589A952D8F0322,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.183{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.182{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798431EC99EBA889A5B934598EE619B5,SHA256=E831788E897DD24B05D40F600A894D3FBBCC3966E4884397D9DEE687DF36CDA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.078{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.077{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=D0A809E82D986188707E46746C5D8FF6,SHA256=C2CDECC9298673CBA7B49687F5D57AE85B760A8D0FDDC7D3F71AC0AE11D09670,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:35.287{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:35.287{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E94D7E6CC0502A1131ADF9CE2564DA3,SHA256=7ED948432C662974CDFC5EE1EC3F72131EFB992459FA04C2031864516A30B60A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:36.291{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:36.291{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BD3313B7E1A1CFFABBEE6D2161B82F,SHA256=ED325FEA00D0A714C395601A761CE2A487CB383B54651E2BDE2A47614E4FB9BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:37.297{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:37.296{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E60B07B3E7A330F2D75D52740757EF,SHA256=475A93F0313B04EE9898167E7F9D556FBCF5324EC64BE7030234D5A67EF20621,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:35.522{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:38.304{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:38.304{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C517F067145F10284A6E58457826D077,SHA256=43EAC8653D96C23DA41B8CD55DD5233F45095BEF91D630257430757AAD35F494,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:39.308{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:39.308{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED74A300AEFB59250B2E11CF1184008,SHA256=F626DDD80F8F770CAE152073ECF0DAD33A5AF48B2FB8628544AD51E96393A51C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:40.312{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:40.312{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B0343B90F1BE1EF45CA8E39E3F8269,SHA256=1361737F285E05033DFB734201B106122513474BF60E5C79E84D9C5FA9B66878,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:41.417{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:41.417{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A874AA7BF3375730A07A5BEA2E9D2B7,SHA256=703676615F1E51713F3C97055BDFE9BD745FC2D38E6FF5151F89E62C534D8C03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:42.524{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:42.524{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4725D10B863457BE61B3F99BD11E11,SHA256=513914300C02EE3EFD1BB81F030E8A208020CF799384CEC8AE39ABADEF32BDF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:43.628{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:43.628{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30087B4893EF4978D11E1310F1C9A359,SHA256=232ABBBE148131A1F810500B56D2F45497B630324D7632DE5D62D5B8E77258F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:41.444{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.734{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.734{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994C9EB4DB7C45DB053694346595341B,SHA256=7732964CE0C2EAD0D0CB4C4AAD636BF614A25E08A5382F4EE9AAB6782F9174A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.446{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-057MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.445{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0572022-04-20 15:15:44.444 11241100x8000000000000000242724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.443{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0582022-04-20 15:15:44.443 11241100x8000000000000000242739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.841{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.841{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0404D4498F2949A2293238EC7668F94E,SHA256=D6CE5E84766D77DE5B8220E38C7B359BF9B0BCE8DA3A8CD599B5D3659EE61B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.445{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.388{8D845A55-15DF-6260-9400-000000004402}43241136C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.388{8D845A55-15DF-6260-9400-000000004402}43241136C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.388{8D845A55-15DF-6260-9400-000000004402}43241136C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.380{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.380{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.379{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.379{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:46.945{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:46.944{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570C0CD33893A92C4ECAE392C3F1E8BB,SHA256=6851DAFE1F094CCBA675EA03D24765B85671A3EE41B2F59051F473803FEC4E35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:47.954{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:47.953{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FBD5EC2C09A5EB9ABFC5692B48AB2E,SHA256=ADFE897D9C2557488D5C862EC2D74D0B548E471FD229E7B8DA79AF9470E5BBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:46.532{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57795-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:49.057{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:49.057{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F8597E96A525F5CE74C5BBD9878686,SHA256=AB44907464C38BDE7BB80216BEA4134BEEDC830D9BD7045A2903F77C2E40A1FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:50.061{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:50.061{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6346BA105F45CC85A245606C170A8CB,SHA256=348B8E7FE06F7AED094CCBD00B24B36F8C68C1A86FBD6FFEC925E94E0CBEA0FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:51.165{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:51.164{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6746E47ED287499C7E94F7714A974DAD,SHA256=0BD7B47C52ADCF0AE98B9F83780FCEF50810D79A2054B4F5421A31F429216FA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:52.267{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:52.267{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E2EF12E97DBC98C3C40AE55249D93F,SHA256=A10B5A37C9CE1C7E51AA200833A1E3E68CA5B19FDD7344A43AD07E90027068E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.374{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.374{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EB271461A2AB4959B9FD938A523E64,SHA256=4C36CAEA686E077D0F99A79912CF7A04EE9D0E4542A64BCD507AF6A7FF1B0E53,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.268{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xml2022-04-14 17:01:56.838 23542300x8000000000000000242754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.266{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=E87A54C46F90F3AA0FE6A7B828DD9E83,SHA256=0B7563811A942F9C5F45F95B17188E2C65D2464BD2D5353FEFC351BF683AA7AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.259{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-04-20_1515532022-04-20 15:15:53.257 354300x8000000000000000242763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:51.570{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000242762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.786{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-04-20_151553MD5=C9C79AAAA9E328BADBE4D3F5DBCF2467,SHA256=E88B67FE7E0B301DCC71EFBF3C981474FECCC9AF36DF79A1D27551A7234CD11C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.777{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xml2022-04-12 13:18:48.382 23542300x8000000000000000242760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.775{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=86A70F47C1D6386773C1D7082A615531,SHA256=661B26866D0D952938F1C0DE4EB9F257733E3EB2557954226CF51E5B18DD68DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.477{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.477{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF5647C5E8270779CEA4A548965F6EE,SHA256=3A320C91FB9685A98525D632DD98565F9B4F68FDDF047319699D8573C1605638,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:55.581{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:55.580{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5F7737AB52B171769DA8189B9FC5A,SHA256=CCAED37C8AE8780A26A69241BD8064A9C8C28D1499B8BA3CE28457A8AF20EF66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.586{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.586{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146DE3DA2D7F75935091BA8D83F03E1A,SHA256=9F0E923158E08CDE2FCC9504304076F47635DDD40B82BA1E6249281CB9823667,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.095{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:15:56.095 11241100x8000000000000000242770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:57.590{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:57.590{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8585ECE1E139CE62BB8AFFEE642449D9,SHA256=04493AE3FE368FED41E641F66D90AEF36633F3C1C487DC596626FF8B14F50157,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:58.696{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:58.696{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7343A92B58D93D69C98FB0D23C700898,SHA256=2FDB1B05C61D99566E8E6AE10DB11E899E186E6D931A2557F3CBC4270E697450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.579{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.708{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.708{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C980D0A76CF275E347CB05E365C707,SHA256=94704BD367C1515FE692C9DE7651AD515957962B576BC79EC7804E84A6209DA7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000242795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000242794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000242793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000242792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\LeaseTerminatesTimeDWORD (0x626031bf) 13241300x8000000000000000242791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\T2DWORD (0x62602ffd) 13241300x8000000000000000242790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\T1DWORD (0x62602ab7) 13241300x8000000000000000242789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\LeaseObtainedTimeDWORD (0x626023af) 13241300x8000000000000000242788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\LeaseDWORD (0x00000e10) 13241300x8000000000000000242787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpServer10.0.1.1 13241300x8000000000000000242786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000242785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpIPAddress10.0.1.14 13241300x8000000000000000242784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpInterfaceOptionsBinary Data 11241100x8000000000000000242783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.281{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000242782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.280{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=022DDAC32D00C03EF5298C5450D9D222,SHA256=31295D5B79BF4936AF26C2A5FF6D05B5F0C6DE2872DD28EDE59EA47C2696375B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.226{8D845A55-159D-6260-1600-000000004402}12925376C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5