11241100x8000000000000000242055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:47.881{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:47.880{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48767D89A9FFEB380D9CC714C390BFE,SHA256=33C71EFBA7ED6159BFF487C27822F956A6017AAADD8182F5609DEB09A6E851D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:48.884{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:48.884{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA33007DDD486027CCD24AF25BAE7D5D,SHA256=6728B087E36623DF23298CEB8BDD0CD715DF084BEC6660DE3D8F8FDF3681EFF6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:49.891{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:49.891{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47603246BE5A7C198747262C269C58D6,SHA256=8A8B816C4BEF1887480EEFBF555EC03357347B77E817FA3CDE103FB349788232,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:50.996{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:50.996{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6EED035723F4265B5BA42095D91912,SHA256=B8FB99E6D40E059401F0D1D71902D4A6BCB155D4A655E90179F74AA5391D660F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:48.571{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:52.102{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:52.102{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCC93BADE4E00452694ED79F46DF401,SHA256=33E2D98335A6ABE5A82B72D278BA6B47A3D0AC71761B6F474B37ED6E034C6AA6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:53.107{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:53.107{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CAE5E51ECF61B29E0938BEA830850C,SHA256=BBC714F2418E029038E6FB84B981DD703747E040D18E783EE11FD943B3C5DD2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:54.211{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:54.211{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F4C6DCC5CEEF530C77293AF98E748B,SHA256=FF92D8CCE1957DB150E5840CC0B91C710E505674B2088FBD60EB3FFB3D199D76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:55.316{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:55.316{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB786E24B88F86E35E606061E1F1E10,SHA256=E1B95754753F51B7BC8B81D43B654B7055F3216F90EBC23CFDF175B1C77418D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:56.419{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:56.419{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347F5BFB620A66856B7F46836D11AAA2,SHA256=E56BF33AB3D4C81485C86C1E03C1667E9D1A6C6E3CB71E2D75257016DB79F0AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:56.118{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:12:56.118 354300x8000000000000000242076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:54.457{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:57.524{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:57.523{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0095ABF8FDB98F9C316007DE90E71902,SHA256=E99A572E99A2C6AF682A77F4544347ED905D01CEE7645CC847D252D4E82FCE6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:58.529{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:58.529{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B42E8A40C5F4E3EC8F1B090874488264,SHA256=03D8997FB47C4E44A6CA91B8567603C01488726143EF0A63965DDFDF40F97A00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.632{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.632{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DE7C323E165D50841C23638888C3BF,SHA256=F108042E54D46271DADA2189C1CC25B58A67782BEDD491E1AF9BCB42C37171D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.295{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000242079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.294{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C5192700F7CD468C13913B4DF960EAF3,SHA256=4588F5F9CD6A8C126CBA8A3779FA5BE8ECE77404DE0151A459D9B7B6B285E73D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:00.736{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:00.735{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689B39B49D27C1ABFDFE5B5C15E5916E,SHA256=A731B7D7FF7BF83DD23BE6C7B830B3BA7F1F09D8F7EB6B41F2AD195EF0CC8B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:00.019{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=736FAAF56A5236BFF0096DFBA4B79825,SHA256=BCF134C318A7E1D8F3FCF9F9561763D653196CBCB15FDF60B20378892042D8B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:01.840{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:01.840{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB6B437076F5B4B501A00DD906B24FB,SHA256=BC4EFC592BE67C8AFCB9DD6C8E9911324BAAE51A122653815A2FD3E7D1A81B5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:02.845{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:02.843{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70C118F4A201AE87C4D404F45B8CCC9,SHA256=6F016D2A9449D3D7C6E484D169DAA7440B8C8641C9824339E0C40C6CED53E8E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:12:59.520{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.849{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.848{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9396EB8A28B24D135B11144AD27FBDF,SHA256=AFE7431D4129E8DA61F459660D5390B694E5110A5F405E77AD20962CFB8EF991,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.257{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000242091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:03.256{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:04.854{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:04.854{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8825C2F8EAE87DE182C0109FC94FB0,SHA256=4BF7A9639016686E2EF691779700288D36A3AF2CC6ED0A9093298ECCB6D07251,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:01.647{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57759-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000242099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:05.957{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:05.957{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FDF53484D6098DCEB27E014AD957C4,SHA256=ABFE23365E512CA5E35AC428EA8C0FF0D1C8F023375BFDCC37F001F407754E1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:07.062{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:07.062{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B394B6A6E5C3B5DE4E31C47EB5CE943,SHA256=8EA35902DA8383D28AB5925725298DF006BC6145E269BAEE71C2753F3C7ABED7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:04.604{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:08.167{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:08.167{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1170C897CB76E3E6143896757B749A,SHA256=DFDA6867061464408D7D48E7574C5C0DD23E47CF395173523CE14FA7E952B865,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:09.270{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:09.270{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2680CAC9C20596E190D3EF1D2E9046,SHA256=D3567DC093AFB24B287C351199CAFE97617ED06EF30B6E179341CFC928B5ADA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:10.375{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:10.375{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52175F9E2799303C2A8B53BBB7798EAA,SHA256=1E90CE7CD2D77AD2D8E31E213E4F7189E7E173D86EB1B4DB848E780F33A954F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:11.478{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:11.478{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418C980259D00395466687BB43B2363F,SHA256=DCD1D4ECF572FED61758464C753BE8684D41EA7E7546CC7C86ADC5A3E44FDC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:09.619{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:12.487{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:12.487{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1728B6CF76C8D72E8532769E198DBB,SHA256=B617D1A7D3A00A298D98806A70584CEB234C6AED518EB2891F43775C7C6D69C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:13.591{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:13.591{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7AA54248431035F17B2C55759E85AB,SHA256=6DDC31CA261D9544F312BD62C5293FE6F9F71269B46FBF33325D238EA516A351,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:14.601{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:14.601{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37A415CC9DC8BCE0F5559D074C36321,SHA256=FA8102799DF9F534DC82A5B05F96B714D5CC7AA68EEF074A61ACC2FC10D67131,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:15.705{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:15.705{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F066615830750CA217FA71645BED5DA5,SHA256=8A869FC4976F34DFD7AF74F4043E4B221787625FE8A9A69859938800C3DF5C7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:16.807{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:16.807{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E72098929C3DD3C6B5C6269342F7CB,SHA256=23A14AABE728487DB6F09AA7C0B6866DCBA07FFEF2063FF83BD40C84FF61B9DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:17.810{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:17.810{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230703FA5DD932BBC161071C531804C1,SHA256=03BA06D7E898EDB45F971499D01753ADF6D9265A17D19879248F38DA9CFDA6DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:18.913{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:18.913{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D65E5404F6BE9E2AEBFCC2BD3A8C815,SHA256=33E4CC1AED2221C044C2CC5A7E4101777327763BEB9F378FFB661C834BC4C488,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:15.445{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.919{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.919{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA86F6366817F018C1B0D9F7FD62E0BC,SHA256=3556F6F41C29FE509AB9C049D5D4566F784966A5152DD8067685BF0CEE3F314F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.471{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.470{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:19.470{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:21.021{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:21.021{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CF0EA76E8B33D22A458132B8CC105E,SHA256=E81DE19CE9A3826485D8252B88A4C9CF5D71CEB48022216B00F7D8F675564403,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:22.024{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:22.024{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F6D6BD9C04DA7FDF8E2319B302A1DC8,SHA256=F3F5959BFB8FAB1F0825E855DAF082C9D8A48FCE70DA48C7D765305CB8721819,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:20.453{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57763-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:23.127{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:23.127{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE89CACC235AB35D542D746352DE2AC,SHA256=DD4437A89A576766B669747F8B2B5CEA97959F026FF4BFDE85259DE2CF06F28E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:24.132{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:24.131{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C708903F5755EBC8E812108F009E82,SHA256=96634943F1D6FC2B59C471E0A3F07D1872AF1BF9A7E83A05161E526EC36488F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:25.234{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:25.234{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10582A7568863DEBF8DA88F0BF14FD05,SHA256=C42826B522FA152F80C4B16C03554C77FBF59E8E3C1819F84D3AB04B42C569E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:26.338{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:26.338{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489E9BB19BCFE4E6BC14EB5975E6ED76,SHA256=43EEF8F5DFEEB561724A4C19B071FB1A2AF6FCE24C691FA8E294604F020B142B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:26.124{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:13:26.124 11241100x8000000000000000242147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.440{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.440{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F3CC6801C9BA544A3C4B871E8E6F12,SHA256=D9A1618E6ADE20033FA58AEA16FAE6340E6FB16C4BA86BB12AAD04BAEA1AEB6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:25.495{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:28.544{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:28.543{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BFB5123ABDDB1EA05BBB7D888611B8,SHA256=4B5C8B63C88F59062CABB8A397168C599E032F41A68FE736C4FAAA3F756A7554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.630{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.628{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.627{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.627{8D845A55-2319-6260-B702-000000004402}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.549{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.549{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5181DBF921850EDB4232B6C58CC933FC,SHA256=6A7F0A2C2C6915B039AB5DFBAB5A8C2EC6BC06C8B638C69782E580537ADEB4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:29.259{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DB46760B9D11E39A14B2B4B70D8D7336,SHA256=117F79CDB41EB8858C7FC5900982C841122FC4462C6B4D8E0A1335ABF77C9CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.961{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.960{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.959{8D845A55-231A-6260-B902-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.682{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57765-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:27.682{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57765-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000242173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.659{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.659{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9871252B1B4059B8330C80D255DB1E,SHA256=E2078F603A0D6740832978058D0A1EF228E5BE10692D876808E8D292EC12C646,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.390{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.389{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5EAB004D3DFDB783681C97EAF5ED28C,SHA256=431FE36977690FA18CBC4C51F0976A10128495878F5D6E5D632E5F8C0FED8DF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.294{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.293{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.293{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:30.292{8D845A55-231A-6260-B802-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.767{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.767{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488A5E87F68500D0C465163E8D3079C8,SHA256=E2652C855114DF3A001F1FC68C25CF4B8A0D2E3524E88EB9F72988C4B615BD6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.128{8D845A55-231A-6260-B902-000000004402}42044332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.884{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\AlternateServices.txt2022-04-12 13:36:19.111 10341000x8000000000000000242203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000242200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\AlternateServices.txtMD5=4FA74B62D6387707C7CA607B916D152F,SHA256=A79A6807ABB75A8C2BAC2A79A5B8D41D794E24A562004803AFE17B0FDFCD6FBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.883{8D845A55-231C-6260-BB02-000000004402}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.875{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.875{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6DB7B8566FA9CB53C939C8B4107192,SHA256=44BE4A3EA25E315363BE46BFBA7227CFE1FBD51AC19C0E0820C1FB284D1A820A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.416{8D845A55-231C-6260-BA02-000000004402}55485180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.207{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.203{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.202{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:32.202{8D845A55-231C-6260-BA02-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.986{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.985{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5453EF801B916FFFE55D8EAC54976274,SHA256=7ABB7D5C86E88A24BFC1855A69CCF1451A37D3E869ADD223274F3123624ADEB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.729{8D845A55-231D-6260-BC02-000000004402}19201300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.556{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.555{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.554{8D845A55-231D-6260-BC02-000000004402}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.263{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2022-04-20 15:13:33.263 11241100x8000000000000000242211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.263{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2022-04-20 15:13:33.262 11241100x8000000000000000242210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.257{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2022-04-20 15:13:33.257 11241100x8000000000000000242209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.257{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2022-04-20 15:13:33.257 10341000x8000000000000000242208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:33.064{8D845A55-231C-6260-BB02-000000004402}4080972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.994{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.993{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE4B4A0978D573792E1F181FADCBADB,SHA256=16D444021FA0EA8F8DB23F83EEFD696E22CB24BFCEBCE283F4351B2266B60A8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:31.435{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000242231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.220{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.219{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:34.218{8D845A55-231E-6260-BD02-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:36.095{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:36.095{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D6F2E6B6EC535886F99AAA475329DC,SHA256=C24833686F583166D4038BF5434B79749EA095E5B0AC0D94D5B69EF604266BD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:37.203{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:37.203{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A8764BCA954946D306461BAA4B38A1,SHA256=4FC9DBDCEAA814B80073B91EC9EA063EDD67F1FA18828871866D43343ECFE114,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:38.308{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:38.307{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2163E2C46DA2374DF49F42A88FA4804D,SHA256=5BB9A6565ABC56AF5007F82C39111494B758C54AC65989552DB31AD853103B67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:36.514{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57767-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:39.313{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:39.313{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D145FC1940687DD4DCA16B2BC8C2736,SHA256=96726753FEA45B9C9A4E554C89EF1102F59EAC662686838FFD9F8F8065B523FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:40.416{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:40.416{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C6F131391B5C6EF62451294553401A,SHA256=BF64BDD23879AFAA2DCBDAFC8860BC3992989CFB924F987AA94A10D7A7E6E08A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.526{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.526{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB0FFF8AA8AB2A300E952F415AC884B,SHA256=32818A900177774D6442E168103F778869BC5114454EF7156E2F37FDB38DC84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.448{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-055MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.447{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0552022-04-20 15:13:41.447 11241100x8000000000000000242246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:41.446{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0562022-04-20 15:13:41.446 11241100x8000000000000000242253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.532{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.532{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9C69081F5B338F44C81A307BD69B14,SHA256=606EB313251C2C7B09A676CC373954813078060EC115DAE1D8D30C4D10849FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.447{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:43.636{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:43.636{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03743CF6CDE2C46746B48FB3017207E0,SHA256=5452F73DFD6479C300D95089EDA5C6D28EB8D83142DEEB741852993A5CA4140F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:44.739{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:44.739{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65227228CD741DDB13F9064764E64C1,SHA256=066FB135F0F1FC1C9C8C3EFD995FBFC79857EDF8EFD1086FCD250313CF4CC8FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:42.503{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57768-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.844{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.843{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA6FB2FD7A89178B87A39EDF974AD02,SHA256=BF95BE36FD64A2CC5788CC3C00A1BBFA571A5C049D151A7243867BD2B1095E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.268{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:45.267{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6F49DFBA80F17DD12EB5F0242AEB6698,SHA256=51700D8363F0AB6159135F908EE8D316AE85E2F5FA3D5728DB4D03F9D10F6751,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:47.150{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:47.150{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A842F8FB977B4EDD198089BB280DF8,SHA256=C1D785C60B500737953010DF6401FF75CF4A70A5D135B6D604156DD1C68BEABB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:48.154{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:48.154{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE05EB7CE7B0D362CC5B678789A2134F,SHA256=48D3728E439B0497EE84EC94CA2FD7A5612AAA51741B7C97D775DB242786E1C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:49.257{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:49.256{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A74E331253E2B982E0B6EE2240F5E0,SHA256=D1B2AD7981B2003678390750C28B2ACC053965BC4F99EA40E0338CAB828F23FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:47.600{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57769-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:50.261{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:50.260{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8668AC635B0B1437EA24A66C0ED4F8A0,SHA256=7F578F7CE7C8ABB34B3158535A60761241E7CB195005C1ECF9E8A06E6C69750E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:51.364{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:51.364{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A4E4E1C5CED08874069E6BF3506599,SHA256=4DD1382588DA1B98528EF97751AB64DB5E15F506387A082E7ABBA892552D0462,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:52.371{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:52.371{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47557355561B5CF6F30347118DE0397C,SHA256=B69BD22100B0224F73E5F4C9ED5469B197885A949F0BF9382ACB2B68CB98ADC9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:53.379{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:53.379{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCB11AA92FD8FEB803A51BC6B942DB9,SHA256=C3F554F74AE160A1D4698E107EFEAD4FD517FE300AB0B4719728A1D99481B787,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:54.482{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:54.482{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F1469826AD68F41B9B9C526EA8F678,SHA256=429212A30EF0BC73A03D66CEB5E2368C564D1A7B976413983F171D882E2320AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:55.488{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:55.488{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7E86B138A9DC26AA4CAF1BC5FF06BB6,SHA256=174096F7DD2A3AAD638C16F1451AC68A32067EB9887DEC636A923F3EB83FF5F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:56.592{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:56.592{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E015FED7B6EA091C202D7372CC202C0,SHA256=5255B91B1A97B41CFA816434C333ED3C43A7865A416B2B7710AF621F268CEC29,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:56.117{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:13:56.117 354300x8000000000000000242287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:53.426{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57770-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:57.696{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:57.695{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F9B3A36437CE364F90ED66BCE18099,SHA256=68655EBB383854BE2212D95B287F1ECC500445C4F559748A3468FB87C5D4E2E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:58.700{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:58.700{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA24413B5C1C7BF4C0117994F67B7D3,SHA256=A132E427522E99C6B2919503AAE7EDEBB42EF6D5617828A052055AFA2181AC2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.805{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.805{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C54C43395940523C66E43D0D2B52377,SHA256=DA3C9DC21B2C167B4266D1B111B9C3279EA7C797E551CB491D6E1500111A176D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.289{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000242291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.289{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0003603650DDB72E2E32CBF848AFCDBB,SHA256=0D7D913830645F1F1811830A9DD35DA2478EA3832D3223C165A3AA9DA196507B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:59.267{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E4AB6C4DE9CCDA606079B265A90F22E1,SHA256=12F5BEEDC35EB7738EB9D029B831815CCD8B601A817FFD2A2394100DC7490107,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:00.911{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:00.911{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDE1E5F09C7A04E3B6E026FD0A53E25,SHA256=C7C5C60CCE271518B8318DA0BDFA6D6D12A020E9523EDD924ED57FA2D9111FFE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000242304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000242303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00353e01) 13241300x8000000000000000242302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c0-0xe1545bea) 13241300x8000000000000000242301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854c9-0x4318c3ea) 13241300x8000000000000000242300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d1-0xa4dd2bea) 13241300x8000000000000000242299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000242298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00353e01) 13241300x8000000000000000242297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c0-0xe1545bea) 13241300x8000000000000000242296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854c9-0x4318c3ea) 13241300x8000000000000000242295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:14:00.157{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d1-0xa4dd2bea) 354300x8000000000000000242307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:13:58.430{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:02.014{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:02.014{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1700D73E7679A00FF807E153E7CC434,SHA256=69ECB9C55C17DF5A74410D42489A91E6E569EA206CB2B921C1DFDDB5FEB9F31F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.267{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000242312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.267{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.118{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.118{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098FDD32E58F28BE0A1AD161F52248A2,SHA256=33E72C8124B59F62FDC3596E350B3A96976CD7118D2DDF98BA69BABD293D8CDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:01.654{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000242315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:04.124{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:04.124{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4E1F3131A30C394328A1806E01B1D6,SHA256=7823D0C0FE2D64F292284EE7EBE438505867F4563AA871DEFB32BCB70743FAB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:05.228{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:05.227{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3071552BE9403BCA422A3844BFE3DFC5,SHA256=BA8BDD77CBD99A81D3A1D06DB23D8975630C8F399B9BFF2B6C6428791B393577,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:03.594{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:06.331{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:06.330{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B619A10E4AF0BED14298D4A8A384362,SHA256=CBD20CEB63C9AC6D2135BA7C4CCBCD90CC2D23E3E66B56C64D33219CA41C7977,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:07.433{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:07.433{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9ACC7D5737466252C60AAED174D461,SHA256=CD0FED43915598692FB0A63A3344E472C5EB07AB08D29600085719BAB0C312ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:08.436{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:08.435{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEA4D887971BA84D841D7C928B83E7E,SHA256=94D8237F169BDF7D29C5C6534192EF26AA467D234B56AC2FEE837662C6295B64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:09.540{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:09.540{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6596E92337F31F147455885E2160A0F4,SHA256=EC847CD3A86454BE42B89E25A15A193451C656127C5992500EBAE0E28C94AEB2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:10.544{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:10.544{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12DCAC2D493E308D77905E206B8B320,SHA256=DC908F2C537E22C6DE7C4CA8F8D11714EC3DF9275DC98792F22CD10161125DAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:11.649{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:11.648{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4499B50D9948D2A82458E0C1BBA56791,SHA256=E3E9C169297A566E25FC07DCBB277B2FCDECD23E1ADDC9F179B33E84D303820C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:09.499{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57774-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:12.752{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:12.752{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB45382134B277E73CF3A605385C7B65,SHA256=7EBC449BB36C3FA5466EF20C6D2EDFFCA86D0B1A80FA2418037466AD973881E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:13.856{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:13.856{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBDF1C28BE9BBFB52B180B21631EB1C,SHA256=8EF04865DDF277C4AB9555A00E1759E6A65231B0F7639F65A8530602CE803136,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:14.960{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:14.960{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A902D007A1637C1C602EC5AB55A992A,SHA256=6F68122676CBE1897311C0EE5F8B5640DE78D8C8E7A05804F000F1B257B42346,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:16.066{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:16.066{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA1476F2D1E98B496CB769C4CDCA3F2,SHA256=3CDF6AC844DD6A3E5E495788CE6219F1FBB478CDB6F2143CD1EE6CBD355B42C5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:17.172{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:17.172{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6957029EF43E5B7CBE092EFE9A518207,SHA256=CC05BD5DC7422721A5492C232AE36A9E66C71B057761D8B489183D307596C451,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:15.463{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57775-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:18.377{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:18.377{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B54EFC9392E2072403DED5D3B245655,SHA256=D0F93E9D8BD6B96CDD55F3BC69013B15964DA8FCEDFB60D7C7AAD2232EB002D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:19.487{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:19.487{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12837D96ACB15E831D504527172026E,SHA256=FBCF347D9953B291B8DDC5202444F337587E6373CEB9A4BD4F2D660881778891,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:20.692{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:20.691{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6D3A6DE5CB0DF226CC7128DDE78920,SHA256=8C95F20733EDC7527D8A83CEB2C78A2E6866EF24DF54A0E47404239CD1E6237C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.888{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.887{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E0388D5B0B143249116801E45F029E,SHA256=18C9E250102BF7823D47850F04546A4027276188AA6910E51FF4038180810AE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.243{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.242{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:21.241{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:22.924{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:22.924{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8329B434171D8091105C8B1B419E58,SHA256=527333BA8F4DD2C28B217453EFF91D1D6ABFD9DA1241E831BA4B4ECCCF9C6328,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:20.543{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57776-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:24.027{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:24.027{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82D1E9F72943B14D9F4F5E6F90FA600,SHA256=1CF802229BC03E483D2F253DD1356C0AAC32E175EE8075E7305FBFA65CA72728,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:25.031{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:25.031{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FBACC8626BC41EAFA979706DBF84B8,SHA256=B0F85BA70E5BA05FEEA239562DCAE2195F552207712742F9F4BABDD48454943A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:26.135{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:26.135{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3549C9F1CFDD12899586261490FA13B4,SHA256=DD8CA6173057BEC4FE0BB36998E624B23CD04E817CC0AAB31A4C68EA6D4ED26A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:26.111{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:14:26.111 11241100x8000000000000000242402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.139{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.138{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD844BBACA9365B36FD6B6E8100A64B,SHA256=9816D8C7D3589D00AA7A1462BE4C142CB46029F6A724722F7E299A1ACD02268D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:25.574{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57777-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:28.153{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:28.153{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A9E52CB2ACE75279F83EB09F51D2F7,SHA256=B81ABB18C1CC42D4A360509C43E467D469E07D263F09BDDA9D2CA0817973C983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.520{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.519{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.519{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.519{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.518{8D845A55-2355-6260-BE02-000000004402}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000242408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.490{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=45E84EE70F54E1802E45E73906E5D656,SHA256=8B650EDBD767884114BB01207E2DA9303EA8133631FF82D9708ED187DE6A8072,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.357{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:29.356{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BA87C0C7D09B366DBD620C113EC593,SHA256=496969DDCB0F96CA892EAA871F04DD634F593A846349FC0F207491D172A489F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.852{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.851{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.850{8D845A55-2356-6260-C002-000000004402}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.561{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED64A3B3DEAD20C4A9F96EA959D3E44,SHA256=5A2234AE8F55C8E09BA4CA4ABA39861D587A772D6B4C33D167150BCADDB81D37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.698{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57778-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:27.698{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57778-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000242426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.367{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.367{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9753B3A08B0FE6D62868B40EBC417E,SHA256=7A6B027FECDC894968E87FA0EFA4979BE0F589A623F608F5148B21DD456196A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.186{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.184{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.184{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.183{8D845A55-2356-6260-BF02-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:31.475{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:31.475{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7DE46674EABC6658F6C2CA900E8A49,SHA256=F755FF05A799149AE9C288868A55890E5F094D649A234D185FA6F247278E0802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:31.016{8D845A55-2356-6260-C002-000000004402}47125576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.804{8D845A55-2358-6260-C202-000000004402}42045116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.631{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.629{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.629{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.629{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.628{8D845A55-2358-6260-C202-000000004402}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.583{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.583{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304F717DD598BF880264811399609FEC,SHA256=1642911720A5B39AAAA5832B542E5CD885B9F7FD55D53E7B5BCF84900C998FAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.304{8D845A55-2358-6260-C102-000000004402}24124936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.112{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.111{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.111{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:32.110{8D845A55-2358-6260-C102-000000004402}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.961{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.960{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.959{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.958{8D845A55-2359-6260-C402-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.693{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.692{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E1668C38BACCB5BEB8E5B67C6B82A3,SHA256=10D580DD38CCC5CC6682E55A8AEB7F9D3F62676F24ED809D7B00A9179AD40C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.637{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000242476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.637{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000242475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.637{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF35c0cd.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.636{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF35c0cd.TMP2022-04-20 15:14:33.636 11241100x8000000000000000242473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.632{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JLHY743R154XYCT760BP.temp2022-04-20 15:14:33.632 10341000x8000000000000000242472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.457{8D845A55-2359-6260-C302-000000004402}55481960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.297{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.296{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.295{8D845A55-2359-6260-C302-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000242463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.012{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-pingMD5=8099A92A232F811C4173394B08D8B4E2,SHA256=AA6E5703C1DD5E3CC0B1E7EF4E4098396FF2CA448AD64170CF36BF44D0AD6CED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:33.006{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-ping.tmp2022-04-20 15:14:33.004 11241100x8000000000000000242491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:34.700{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:34.700{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B14600C9CE309673FECB41B83C3449,SHA256=131670AAE51B1E1DE535D4CB7C09187F60EF90A26EB004D427344D8BA8704040,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:34.624{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000242488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:30.602{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57779-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:35.803{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:35.803{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7361BD302569560AD5C7D5F1FCE33E9,SHA256=341176E8A2C64AF7BC3F30E17984510ADF856C5C2AEBCEF4F1A39E6DAD39EB7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:36.908{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:36.908{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED0DD3DE047A0A0CC243D804C070B24,SHA256=1366827BD098A0487B02CE5B62D02480873128431778C203C98E70694CF13F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:35.636{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57780-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:38.014{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:38.014{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9556C6C8C9837B2CBE58EAD91F1F2733,SHA256=7CF240BD3F5B07F0F87E784A2BC11E7B7CD6544CCFD4F6DAAADF29A60D88FB59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:39.117{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:39.117{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8595CEE12529B45AF04C62FF5182C96,SHA256=BD943D740809A26855B377CB5F30F446D49D77446126D07E6173A6AB7A5BFFF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:40.221{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:40.221{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65527EA898D3AB8B6B14699D759773A,SHA256=D9FF0C77A9CDC6DC0615C6A72971F252E9B1C4E3316690B130092EB115960FBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:41.324{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:41.324{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78CCF522DCC1BCEA1CCF80BC3E442C0,SHA256=2F6B5F009FAFA8479BD3903DE9ADDACABBA27BD3C1BF64429D3F12143F6898EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.947{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-056MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.945{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0562022-04-20 15:14:42.945 11241100x8000000000000000242507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.944{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0572022-04-20 15:14:42.944 11241100x8000000000000000242506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.428{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:42.427{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D8BA1A142BDE07245DF3DD5701BA14,SHA256=0DCCD23E6C219FEB29A125245829DAB29522A69843900EC4103C5DB7AA7AE262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:43.946{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:43.532{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:43.531{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF45A2B39D10DC1CB46AAE516C2E3663,SHA256=2FA7FBF8F0F7E1378E99AF8459D252239293F4D82AED2D3B1CFF9B16DCF9C675,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:44.633{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:44.633{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAA990463D85B4C3D3056B0CC2D52FF,SHA256=4C51D6234929B026856BAE4A83DA18E1A72E8C08ED0E8C2D6AC498B3DBEAE31B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:41.456{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57781-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000242524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.793{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.793{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.793{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.788{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.787{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.787{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.787{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.638{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:45.638{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42903F0EBEE51E43196715FF6CDD48C5,SHA256=760B14CE6AE5F9BA0D9ABE04F7C31C9E551A64770EBD99181F92CD00CCD4F938,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:46.745{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:46.744{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169D66EB353C91C58DAD1B12B50CE328,SHA256=DC039EF3A8B90217E023BA2377C91EE41C3030B5749748FF33612BA96EC4B1AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:47.850{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:47.850{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3B5ADD3AF2269CD9B011C9A94A5523,SHA256=58EDDDB4CDA5E22539D6165F33997E78F0613BC327107FB8740BA357F4FE8B92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:48.956{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:48.956{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA221738CE8374E13C6FAE5F1AF55698,SHA256=5AF5345D936A3DF65268700D27F06AAB7EE95B3A4CE5107E9841D9E5DB5975B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:46.527{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57782-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:50.060{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:50.060{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A90D896CEBFAD2BA8760D890ABC5EB,SHA256=9D9838A5A571475AC63CDA6A98CED8C49D6FBCB7ADE2D1B5FF284D1E4B89D72C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:51.164{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:51.163{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED56F708F929A3C7A8570F9C9CBE193,SHA256=4197210C321B1ADCDE0D246CF16994689E54AB2AAE34406CDF5996DCB8F0D1E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:52.269{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:52.269{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5CF130F0B89AA333A6720805622DC8,SHA256=DBBC97B0E797C597D1855C20EACD25C596BA0B5EB6912438EE50E77C5E8C589E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:53.372{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:53.372{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631E8832097E66B6E20EA4AD61D544A9,SHA256=F85FB7A4E84EBD6ABD5EF01A9F261BB1DE027024F834A0434C46AABDDD429F35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:54.478{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:54.478{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE9456E7FCC4B376FF78422F111F908,SHA256=EF909B01C1D16CEC59F2EE7042618C91D749A6B3BA0BBB95959A6375CF95CBEC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:55.481{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:55.481{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAF2A77878327EEBF9CF16AC55ED0A1,SHA256=EB8FB296D4C3BF50DC746CD15B14E6CB920A031076283E25C07890CD22D2247E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:56.586{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:56.586{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C933C87D9D1631A3C94ACE647D168B,SHA256=DE637126B77DCF93E8FFCD41F557245BE2404B2CE7D9A0C3544BA55FBBD4EBDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:52.457{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57783-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:56.113{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:14:56.113 11241100x8000000000000000242549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:57.691{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:57.691{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97137033B591D1699854FBD68AE51D76,SHA256=098BEAB69092EE4F46AAC6EBC0F5823855974933AE425C712B1BF2A3E83ECEB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:58.796{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:58.796{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2052A187D9DDC1031A237DFCE773B0,SHA256=928F1905D52FD1A3FF1A8758C030B391DF5EA76CB1172F8EA3BF8C1B107E57B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.900{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.900{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD9BA99B168E661E40B3896BA052207D,SHA256=EFA843F61C0DB9A0611229003FA5CB4B5C6E0B852641688F26BF74092F9A1DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.668{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8DE5EEE8468403612A7F4F9159A25483,SHA256=CA5BE3B9B49268851DB33B75D3CC1B1152ED36E724B9C89ABDA4325A68D42A0C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.284{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000242552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:59.283{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=00FEBE03566338F865C232F169349FD3,SHA256=AE6770A664691CD11D5D13A42E68C4F0312E1A1F60ECDBA1378E8ADA306562ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:00.571{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:00.571{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=336D57E60F20809DD02B30F826316D04,SHA256=8F13A8491C296BC5E22FC147F0C95DA6890D36F105C1188DF5FA0BD860DB7A44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:14:57.519{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57784-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:01.004{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:01.003{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610C69B199995090A01C7BA5B63B8740,SHA256=03D6B396B8F52547C4F5E14EC9BD709197B700EECFA228DA9905CDB2E79A3318,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:02.109{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:02.109{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3556FB8D54BD18529245C4C1D56BF8E8,SHA256=0497ECAFD326B300DAA0FBF1FFA4D4CFCF3BDCF9A044FFB5356FB04D51B955DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.278{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000242566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.278{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.115{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:03.115{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C6B6DA527C594994022A09CEB3997D9,SHA256=9606C01CF12C9C8360A031AFECE1E2413F66313786D64BCEB5C865433AF64D00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:01.671{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57785-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000242569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:04.123{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:04.123{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4B204FE0BCE7ECB79D3C810923FA0,SHA256=E84889DDDE93C034469676927FBE9DF283FF4B2E1D3A55D1C9BA664BBCDAFC53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:02.651{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57786-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:05.227{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:05.227{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98920A55BE4AAE20F230A397E93EBB21,SHA256=DF8B14036A2A140C10806604E5109FC3C467F9C959F40E5019603BAA6164C051,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:06.333{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:06.333{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB28A0E9FF514BAABC9560592412D936,SHA256=7818E6EF700761F7131E6AD5F01F34FF1CFDCF67A94924FB9E6B3B15D8F705C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:07.437{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:07.436{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB75D939557176FFE0A82C011CFF3FF2,SHA256=3F9E8239380E9B3FF525AAEBF667A94008081EAE6E83909343249C19C351985B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:08.542{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:08.542{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E368BCA921046B31B9D3197032B04597,SHA256=83ABBBAE1FD0F2BA1E2ABA6FA9546C87492FB70D63DC17AA540E15B72359DE95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:09.645{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:09.645{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E3121B7C231DC9965C90C42CBD2B5D4,SHA256=13199B1AD96DE90D5A86A91B29DD95DF89ED1A398F3038197E4961247780A418,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.750{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.750{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7136E973A1879012C7FA21921CACF0,SHA256=3B90867760861BDB638618AF6F6342F425BFA8271DD0CB9EF22193E3A1D20C34,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.660{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:10.660{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=4F25B422168C89D611EEA5AB00FCC713,SHA256=876E8182F2EE0BCAAFE623CBE7C2882439EA48BF259324D3A666F01F32BBF68E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:11.756{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:11.756{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D291ABB1D14D663A2894C0FB774DF39F,SHA256=91DBB40194D1866F4675B6F2E559A042AD50342B98C0BE2C3E5A01DA60A991DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:12.861{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:12.861{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBAA366398B65F4B066AD0431BCB2BA,SHA256=5DF47D034F42BE72172BF9E093ADD364B2F370DB1071B90F4C7F585FA99DD067,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:08.483{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57787-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:13.965{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:13.965{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B906291DAEEC3D6A24E87CD848D83F5,SHA256=90498A8FFAD6D0CBC9165A1FADF58617A5FBBFDAFC16BC2DBCA83FA0530A5793,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:14.969{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:14.969{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C6F20C248932B59862693E7EE6600DD,SHA256=323655AB092097A0169E0BC7AED3AE52FD390E8AE63E441D9D64354DBBB66E97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:13.614{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57788-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:16.073{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:16.073{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DEFC229CFAC645D78E308ECC0CBCD9,SHA256=D52C170604E22F85AE43BA39E55B857EE3031A87EDD710EDCC82E02A946E50FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:17.077{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:17.077{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EC3DBF6C810FE9FA02996EA96B2FB1,SHA256=5B6782FE3994922C527FF36C258EBE3DDF532C219EA7BC21BFFC39B570F317BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:18.087{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:18.087{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04CB78CB554F6F3D409237EF7C2CF16,SHA256=93285D81A203360BADFC0C964CEAA6D514FE067141E3B5DFE04FCA9D374708CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:19.093{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:19.093{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5237670CD1C261F878F94ACC10CE0F82,SHA256=C161276F82AF714E0215A2E0AA50E8E7E4D82E3DFFA51AF47FC7879E2D81320E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:20.196{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:20.196{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A601D533048EF94E434F3940032EE2,SHA256=CDB6B342604C83AD5E1C106C9C51C1CABDEE77B68E8DD99A9DDE7C54C721251A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:21.299{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:21.299{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34202B8B58EC496853ED6E7FFD07D938,SHA256=2E28FCBFF6611CA813EE8C73F6C7A59BC4810ABD9323F74906F45071D0D6D7A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:19.539{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57789-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.308{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.307{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD322E5D7A94F89D441B4C996BE4D72A,SHA256=EF594226F9195C65910F47555F53D3E391429425E8305CBB7C4BF72938EBDB11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.236{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:22.236{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=A03574B5C5AD20B2921118E2FECC8F89,SHA256=F1681E78856D0441E3FBC6055D4BF23FADEA0A3B9012D159A2BCC3CE3F613415,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:23.412{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:23.412{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF0600977EC06FE03AE34BA6CB8D861,SHA256=36CA2C98A2A8093B2FB620C7E09935C8FDFC22456360094841FE95F95CA65650,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:24.518{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:24.517{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2006020252C3C394DBFFCC173A59C239,SHA256=3DF4F154AC6C6FF470D23AF793CE6B9B5CC284679123ABCC501EAF5DB0FC98B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:25.622{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:25.622{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADD5528C38C501E7855086FCF4CBB1D,SHA256=B74844FC39ADC7ED89695B2A0049ED1C470722938D841938C1B03DC8FAADF6EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:26.627{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:26.627{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843DA2498ED38B516974275388696A79,SHA256=D64B0298E65A40E8D7483DABBBEAF80382AA9221B6415165C85AA7D1EC62BC78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:26.110{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:15:26.110 11241100x8000000000000000242623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.730{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.729{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C54249C4D6F2406975BB43D5880D8A,SHA256=F49C5D2F91EA918DCBEE359AE527CFA522310FBF5ED7F498589EDBC1E8729D1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:28.737{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:28.737{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75EB747FFFAF330FB21E1D5E44BE6CB,SHA256=DF3B777730474CD684548316BD07693F5380BC8B310D848E95CE7950918032C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:24.644{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57790-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000242637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.893{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=78F9F0082061DC1A39FEA26112F6AB3E,SHA256=2780B968258C03E21A05CA2E56CD64867B1C319716421F023FF4EC56264F8A03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.844{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.844{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675BE10CF740FE0FE2F176CDE03E75FD,SHA256=216BA1BF6B0565D0EC2181C36431C7EFB0097CED1BCA38EF6F0E7AF34A62934E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.514{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.509{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.509{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.508{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:29.507{8D845A55-2391-6260-C502-000000004402}5044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.888{8D845A55-2392-6260-C702-000000004402}59602480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.855{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.855{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3BE951327B964BA59E563DC7E290AD,SHA256=BEBFE83B0C588D90226C2327B80F5B368A2C1497232D53CBCF2E94196B8C40A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.671{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.669{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.669{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.669{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.668{8D845A55-2392-6260-C702-000000004402}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.711{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57791-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:27.711{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57791-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000242647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.446{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.446{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=377A407B178221DCA9F42B8850A3C564,SHA256=7FC09A979BFC972CCB2B1CDE217E5771D43DDEF0771623340D112C8C3959B2DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.153{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.151{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.150{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.150{8D845A55-2392-6260-C602-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:31.958{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:31.958{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391DE6F79B3E89EBE23597095C6841BE,SHA256=B41183B8551ABE1D4069A09930C2B2F57E73AE43BD87C62B52BBE8152B16104E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.745{8D845A55-2394-6260-C902-000000004402}46762592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.572{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.571{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.571{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.570{8D845A55-2394-6260-C902-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.251{8D845A55-2394-6260-C802-000000004402}12604904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.079{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.077{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.077{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:32.076{8D845A55-2394-6260-C802-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.779{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.777{8D845A55-2395-6260-CB02-000000004402}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:30.505{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000242691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.333{8D845A55-2395-6260-CA02-000000004402}23484104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.099{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.097{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.096{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.095{8D845A55-2395-6260-CA02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.072{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:33.072{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6AF56B59392ADE67B1158AB3DA6FC5,SHA256=80DE62482966670B7CDDA1EFD6E5463CC815DDCE90415611D7589A952D8F0322,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.183{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.182{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798431EC99EBA889A5B934598EE619B5,SHA256=E831788E897DD24B05D40F600A894D3FBBCC3966E4884397D9DEE687DF36CDA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.078{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:34.077{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=D0A809E82D986188707E46746C5D8FF6,SHA256=C2CDECC9298673CBA7B49687F5D57AE85B760A8D0FDDC7D3F71AC0AE11D09670,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:35.287{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:35.287{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E94D7E6CC0502A1131ADF9CE2564DA3,SHA256=7ED948432C662974CDFC5EE1EC3F72131EFB992459FA04C2031864516A30B60A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:36.291{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:36.291{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BD3313B7E1A1CFFABBEE6D2161B82F,SHA256=ED325FEA00D0A714C395601A761CE2A487CB383B54651E2BDE2A47614E4FB9BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:37.297{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:37.296{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E60B07B3E7A330F2D75D52740757EF,SHA256=475A93F0313B04EE9898167E7F9D556FBCF5324EC64BE7030234D5A67EF20621,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:35.522{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:38.304{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:38.304{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C517F067145F10284A6E58457826D077,SHA256=43EAC8653D96C23DA41B8CD55DD5233F45095BEF91D630257430757AAD35F494,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:39.308{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:39.308{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED74A300AEFB59250B2E11CF1184008,SHA256=F626DDD80F8F770CAE152073ECF0DAD33A5AF48B2FB8628544AD51E96393A51C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:40.312{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:40.312{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B0343B90F1BE1EF45CA8E39E3F8269,SHA256=1361737F285E05033DFB734201B106122513474BF60E5C79E84D9C5FA9B66878,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:41.417{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:41.417{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A874AA7BF3375730A07A5BEA2E9D2B7,SHA256=703676615F1E51713F3C97055BDFE9BD745FC2D38E6FF5151F89E62C534D8C03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:42.524{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:42.524{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4725D10B863457BE61B3F99BD11E11,SHA256=513914300C02EE3EFD1BB81F030E8A208020CF799384CEC8AE39ABADEF32BDF2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:43.628{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:43.628{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30087B4893EF4978D11E1310F1C9A359,SHA256=232ABBBE148131A1F810500B56D2F45497B630324D7632DE5D62D5B8E77258F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:41.444{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.734{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.734{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994C9EB4DB7C45DB053694346595341B,SHA256=7732964CE0C2EAD0D0CB4C4AAD636BF614A25E08A5382F4EE9AAB6782F9174A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.446{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-057MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.445{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0572022-04-20 15:15:44.444 11241100x8000000000000000242724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:44.443{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0582022-04-20 15:15:44.443 11241100x8000000000000000242739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.841{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.841{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0404D4498F2949A2293238EC7668F94E,SHA256=D6CE5E84766D77DE5B8220E38C7B359BF9B0BCE8DA3A8CD599B5D3659EE61B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.445{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.388{8D845A55-15DF-6260-9400-000000004402}43241136C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.388{8D845A55-15DF-6260-9400-000000004402}43241136C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.388{8D845A55-15DF-6260-9400-000000004402}43241136C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.380{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.380{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.379{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:45.379{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:46.945{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:46.944{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570C0CD33893A92C4ECAE392C3F1E8BB,SHA256=6851DAFE1F094CCBA675EA03D24765B85671A3EE41B2F59051F473803FEC4E35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:47.954{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:47.953{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FBD5EC2C09A5EB9ABFC5692B48AB2E,SHA256=ADFE897D9C2557488D5C862EC2D74D0B548E471FD229E7B8DA79AF9470E5BBA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:46.532{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57795-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:49.057{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:49.057{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F8597E96A525F5CE74C5BBD9878686,SHA256=AB44907464C38BDE7BB80216BEA4134BEEDC830D9BD7045A2903F77C2E40A1FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:50.061{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:50.061{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6346BA105F45CC85A245606C170A8CB,SHA256=348B8E7FE06F7AED094CCBD00B24B36F8C68C1A86FBD6FFEC925E94E0CBEA0FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:51.165{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:51.164{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6746E47ED287499C7E94F7714A974DAD,SHA256=0BD7B47C52ADCF0AE98B9F83780FCEF50810D79A2054B4F5421A31F429216FA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:52.267{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:52.267{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E2EF12E97DBC98C3C40AE55249D93F,SHA256=A10B5A37C9CE1C7E51AA200833A1E3E68CA5B19FDD7344A43AD07E90027068E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.374{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.374{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EB271461A2AB4959B9FD938A523E64,SHA256=4C36CAEA686E077D0F99A79912CF7A04EE9D0E4542A64BCD507AF6A7FF1B0E53,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.268{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xml2022-04-14 17:01:56.838 23542300x8000000000000000242754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.266{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=E87A54C46F90F3AA0FE6A7B828DD9E83,SHA256=0B7563811A942F9C5F45F95B17188E2C65D2464BD2D5353FEFC351BF683AA7AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:53.259{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-04-20_1515532022-04-20 15:15:53.257 354300x8000000000000000242763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:51.570{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000242762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.786{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-04-20_151553MD5=C9C79AAAA9E328BADBE4D3F5DBCF2467,SHA256=E88B67FE7E0B301DCC71EFBF3C981474FECCC9AF36DF79A1D27551A7234CD11C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.777{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xml2022-04-12 13:18:48.382 23542300x8000000000000000242760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.775{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=86A70F47C1D6386773C1D7082A615531,SHA256=661B26866D0D952938F1C0DE4EB9F257733E3EB2557954226CF51E5B18DD68DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.477{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:54.477{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF5647C5E8270779CEA4A548965F6EE,SHA256=3A320C91FB9685A98525D632DD98565F9B4F68FDDF047319699D8573C1605638,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:55.581{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:55.580{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5F7737AB52B171769DA8189B9FC5A,SHA256=CCAED37C8AE8780A26A69241BD8064A9C8C28D1499B8BA3CE28457A8AF20EF66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.586{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.586{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146DE3DA2D7F75935091BA8D83F03E1A,SHA256=9F0E923158E08CDE2FCC9504304076F47635DDD40B82BA1E6249281CB9823667,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.095{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:15:56.095 11241100x8000000000000000242770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:57.590{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:57.590{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8585ECE1E139CE62BB8AFFEE642449D9,SHA256=04493AE3FE368FED41E641F66D90AEF36633F3C1C487DC596626FF8B14F50157,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:58.696{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:58.696{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7343A92B58D93D69C98FB0D23C700898,SHA256=2FDB1B05C61D99566E8E6AE10DB11E899E186E6D931A2557F3CBC4270E697450,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:56.579{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.708{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.708{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C980D0A76CF275E347CB05E365C707,SHA256=94704BD367C1515FE692C9DE7651AD515957962B576BC79EC7804E84A6209DA7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000242795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000242794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000242793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000242792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\LeaseTerminatesTimeDWORD (0x626031bf) 13241300x8000000000000000242791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.371{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\T2DWORD (0x62602ffd) 13241300x8000000000000000242790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\T1DWORD (0x62602ab7) 13241300x8000000000000000242789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\LeaseObtainedTimeDWORD (0x626023af) 13241300x8000000000000000242788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\LeaseDWORD (0x00000e10) 13241300x8000000000000000242787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpServer10.0.1.1 13241300x8000000000000000242786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000242785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpIPAddress10.0.1.14 13241300x8000000000000000242784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:15:59.370{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98e45835-fba7-4920-958b-0f78d830015f}\DhcpInterfaceOptionsBinary Data 11241100x8000000000000000242783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.281{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000242782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.280{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=022DDAC32D00C03EF5298C5450D9D222,SHA256=31295D5B79BF4936AF26C2A5FF6D05B5F0C6DE2872DD28EDE59EA47C2696375B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.226{8D845A55-159D-6260-1600-000000004402}12925376C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.226{8D845A55-159D-6260-1600-000000004402}12925376C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.175{8D845A55-15DF-6260-9400-000000004402}43245856C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.175{8D845A55-15DF-6260-9400-000000004402}43245856C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.175{8D845A55-15DF-6260-9400-000000004402}43245856C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.171{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.170{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.170{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.170{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:00.815{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:00.814{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BD8676F5ECC8EEC00306CB911F0326,SHA256=2BBBB57445A114DBEE431BECC049A0A645D6638CAA73C65BBD3EF39D0133B9FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:57.783{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 10341000x8000000000000000242801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:00.392{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:00.390{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000242799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:00.093{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=07753B21E3A9B59FBDC2BA48388122AC,SHA256=50861D0E29BB712387107D9D8B7923D688AC414E89667951FC4F4ACAA3A83202,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:01.924{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:01.924{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F6DFEA8BA0B0AEB738E6ABA84F378,SHA256=3A5F4C620C2CF06147594A652609CDD38B5ED6935ECC99E1F59ED930A37B4F58,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000242818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000242817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000242816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000242815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\FlagsDWORD (0x00000002) 13241300x8000000000000000242814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\TtlDWORD (0x000004b0) 13241300x8000000000000000242813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\SentPriUpdateToIpBinary Data 13241300x8000000000000000242812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\SentUpdateToIpBinary Data 13241300x8000000000000000242811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\DnsServersBinary Data 13241300x8000000000000000242810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\HostAddrsBinary Data 13241300x8000000000000000242809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\PrimaryDomainNameattackrange.local 13241300x8000000000000000242808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\AdapterDomainName(Empty) 13241300x8000000000000000242807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.402{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\Hostnamewin-dc-ctus-attack-range-355 10341000x8000000000000000242806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:01.393{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x8000000000000000242805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:01.390{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{98E45835-FBA7-4920-958B-0F78D830015F}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000242844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.817{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57854- 354300x8000000000000000242843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.816{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local65535-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domain 354300x8000000000000000242842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.816{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9890:5ff5:cd7:ffff-65535-truea00:10e:4424:584d:85c0:740f:488b:d45-53domain 354300x8000000000000000242841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.816{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56147- 354300x8000000000000000242840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.815{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56622- 354300x8000000000000000242839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.815{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56622-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domain 354300x8000000000000000242838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.815{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local57512- 354300x8000000000000000242837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.810{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56167-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.810{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56167-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.809{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local65535- 354300x8000000000000000242834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.807{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56166-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domain 354300x8000000000000000242833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.807{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56166-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domain 354300x8000000000000000242832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.805{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local55979- 354300x8000000000000000242831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:15:59.805{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local55979-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domain 10341000x8000000000000000242830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.634{8D845A55-15DF-6260-9400-000000004402}43245856C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.634{8D845A55-15DF-6260-9400-000000004402}43245856C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.634{8D845A55-15DF-6260-9400-000000004402}43245856C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.629{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.629{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.629{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.629{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.433{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.432{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8FB62CF1F8BE78C834D2ED56B9113EC,SHA256=324B1BC9EA62CA268AFFD763890CCA8073BAEBDC58037A894159998585549A26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:02.246{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-1596-6260-0100-000000004402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000242850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:00.659{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56168-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000242849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:00.659{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56168-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 11241100x8000000000000000242848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:03.289{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000242847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:03.288{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:03.035{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:03.034{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A6975E8AE2045096D8447EF5C42C48,SHA256=8387D0CD9CE2E3F81C4B49EA25FDFF2C0A6B9D3B625E620B579FADA0DCD93194,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.140{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.140{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32E25CFF059C1A1225AD750E2395FCC,SHA256=6B0A8258B43511C9D3DF2C0A62A6ABEEF5BCEF0B759008A474CCD106D92F880A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.100{8D845A55-1596-6260-0100-000000004402}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2022-04-20 14:16:14.682 11241100x8000000000000000242874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.099{8D845A55-1596-6260-0100-000000004402}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSYSMON TRACE.etl2022-04-20 14:16:14.681 11241100x8000000000000000242873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.097{8D845A55-1596-6260-0100-000000004402}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2022-04-20 14:16:14.682 13241300x8000000000000000242872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:04.080{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=FA39A46562A507323D8AD7F29A48D452FC707DCCF4DE3693C28040735B8F6B28 13241300x8000000000000000242871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:04.080{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000242870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local2022-04-20 15:16:04.080C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=FA39A46562A507323D8AD7F29A48D452FC707DCCF4DE3693C28040735B8F6B28 13241300x8000000000000000242869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:04.078{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000242868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:04.078{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000242867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:04.078{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000242866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:04.078{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000242865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:04.078{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000242864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:16:04.078{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000242863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:16:04.077{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000242862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:16:04.077{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000242861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:16:04.077{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000242860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:16:04.077{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000242859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.076{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.028{8D845A55-1F6C-6260-4202-000000004402}48525432C:\Windows\system32\conhost.exe{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.026{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.025{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.025{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.025{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.024{8D845A55-15B0-6260-4F00-000000004402}38202388C:\Windows\system32\csrss.exe{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.024{8D845A55-1F6C-6260-4102-000000004402}368608C:\Windows\system32\cmd.exe{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:04.024{8D845A55-23B4-6260-CC02-000000004402}4440C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{8D845A55-15DE-6260-DFBE-070000000000}0x7bedf2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 11241100x8000000000000000242879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:05.148{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:05.148{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F174D1B9C92F61774745642FE9FCBD,SHA256=96FEE5357C1B6314FEFB621E8D4B30BB476D7CE4617BF3576B3E2AE3013E0A0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:06.251{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:06.251{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46BE97B4444A0917EEA2570E01BECD4,SHA256=0CE85F181BEE75ED5E048ACF78437669D3B568727C42919CE022AD47465ED9ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:07.354{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:07.354{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB072C1CCDA8CF04F466F8FE13CF4804,SHA256=C908EFBC4EBF42EB474635DB2EF64233E83511B555CEFD303BDF250457A10A9F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:08.462{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:08.461{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9A5F1347B35E91A5D39206FB89A229,SHA256=B903E5DFCEFB4B3D30060EDD3A1E4C973703A18997D36A0C192A0C20D0CAF559,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:09.568{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:09.567{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323EF3C482428F6E42C360995F919322,SHA256=C8D4BFC1C53D452CD54053356FF039C56DF3F2BB9A18185CE3843BE49002EF9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:10.675{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:10.674{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19E4F98B7E63FF4BEDB648E65FA31AE,SHA256=C6A4CE09C6671D147D90F6F28F64294E4772D4CE39426F4D21020041B9A58A3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:07.467{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56171-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:11.679{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:11.678{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A833F5046B42B79FD4BEE2FD3B1094,SHA256=933C1E6CEAF113ABAC912CE551DEF12A49C1C95A22E8C101A2666404D8592517,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:11.496{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:11.496{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=EBD240DDE5A46A174910800CAF1455DD,SHA256=68013760ACA877BAED8C2ABC73E29508613E7E627567FD13B728BC3BFC63DEDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:12.782{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:12.782{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C54ADD9ED9B342515A4C211BE89E2F,SHA256=75CCCD3C4BF232504FE46497823685DF05990AC681D5E44F29935D56F1F3EDC4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:13.886{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:13.886{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7DB8DFB357160FDD99B0DC0E64697D,SHA256=45E17EE702AFBB146156427770AE3E8A1D42E2B297BBD161FC1DFC4EA8E91CC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:14.993{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:14.993{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB0AF54D9BA29007B0C147615388960,SHA256=4186D0145D594320BC037AD0443C160DE63897819B9C781BCB34B7FE10F4C7E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:14.060{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:14.060{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C6245E91553042AD852E337AA3CED20,SHA256=0C3A22DC5C8266FD042F8ADB09C966069F66A42E59FFE16EF311D7662AC828CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:12.497{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56172-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:16.097{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:16.097{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1391A6317963A91D6D6B44AAEF85880,SHA256=CE5C800B3698A3529976A9AD996E90B9AA0C8BECB35CE0CB2DEC0CDB6CFBE192,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000242908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:17.371{8D845A55-159D-6260-1200-000000004402}504C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d854c9-0x95141d55) 11241100x8000000000000000242907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:17.201{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:17.201{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCFB33CA6DBBDD23BA0604F51696722,SHA256=4034F18C3A76C143E291A275C0B1CDF2F09B693F0ABC0A629F9DA5CE8BBD5536,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:18.458{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2022-04-12 13:19:12.126 23542300x8000000000000000242911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:18.458{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E4FA13254023D5888E5EBF8F5AA75177,SHA256=90D83E2011994920285B786682F774C42053DF6AAF8C055065E8F9528EBAAE76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:18.207{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:18.207{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF7B9A57E7E8FA54A24E9B572D46C2F,SHA256=E5D9B6F52C92DC69737611A11C55F3ABBAED572EC84BDC44602CFA52BCF116E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:15.783{8D845A55-159D-6260-1200-000000004402}504C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local123ntpfalse169.254.169.123-123ntp 11241100x8000000000000000242914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:19.311{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:19.311{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6B3FDA2FAA072C9343AF632993A957,SHA256=4D14B09C1FFB505EE5E32FC546FCAF9A9002000FF7EB0B14DA13CBBD5615EB2F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:20.417{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:20.417{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6D1F91FF798349687EE9302383C988,SHA256=6BD965C16FE6A137E06DD1A641BCC8F8470E76032B59536DEB4689759D772F58,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:21.522{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:21.522{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43DBDFB5659CAB15F5109DB1E89B31C,SHA256=793995315DC032528293F204A5331A31E637E6A72AB84B532B5529DEC8EFE853,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:21.514{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000242919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:21.514{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=8EC7CEC9E7ED6FAC56EBE151FF3D2886,SHA256=13100D41D67DF011B2DC0AE5E8D9C0AD762238C15C7DEF2A032993EE81DDED8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:17.621{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56173-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:22.529{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:22.529{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DD924782F8271AE0C5FED4E1862912,SHA256=70D6B58770B9984125EE47B439B8D9B6AFFBF20093BFC1C5407BD1475CBAB0C9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:23.536{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:23.535{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFEFA349D3FB964FEF222CA91B41347,SHA256=309B7B89C1594B72C2BCFA79903CABCFE6F83F50A8DA4C9925BEBE1F07A2BACA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:24.540{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:24.540{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE664B4B364DCCDFE167CD40399413B,SHA256=1A23062F5A2E4CCEDD2D4EC62750911AB0D371A85613DB19F7280CE6CBF35A9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:25.546{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:25.545{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC74D63E9DB647429969F9574E19DB44,SHA256=0FE4A7D49261FEBDA5393A09B60FBC4B5E581F753B998ACE5E4667D4439F8614,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.651{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.651{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C688FEE96DD123409395B4161F4946,SHA256=B75425D0664210C8441F796B81772EECB4D9A49DF82E33F6ADBE383017EAF1D6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.312{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot\snap.dat2022-04-20 15:16:26.312 23542300x8000000000000000242937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.311{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=E6485ABB8082FCB74FFCFA081E95C0F6,SHA256=CFE5613D8CA7684E3397FBA58E44038D309A93706F08A4D8EE042C0FD10BB738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.310{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=AD67871BD2180BF80726CDA50283C0D0,SHA256=2BC8D6625A536F6F047E167265328A98367DB3E615DF568B9EA66F30D1839C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000242935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.309{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=54E5ACB41463046D68AFFC02F0AFCB5D,SHA256=ADC5AE7CC1B38B09EA024BCCA70650EAF0124392CA9BE1A37E398AEE58A24D31,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.307{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.tmp\btree_records.dat2022-04-20 15:16:26.307 11241100x8000000000000000242933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.307{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.tmp\btree_index.dat2022-04-20 15:16:26.307 11241100x8000000000000000242932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.306{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.tmp2022-04-20 15:16:26.306 11241100x8000000000000000242931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:26.104{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:16:26.104 11241100x8000000000000000242943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:27.654{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:27.654{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C33605101D6576EC890EC0BD11A1D88,SHA256=2A1215DF7D9215445D7C4AE4892E2D56C392E1AD95001C530A84082150852138,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000242941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:23.459{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56174-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000242945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:28.759{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:28.759{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA4F08510B0F1C0BC9F98E6165DFE86,SHA256=C657110D7F36AA64BEEE4F9FFE01CB6EE3137B3654E1499AD632D9E2A50A07BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.869{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.868{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93EBC2708B358A2861671A91EA85B9E,SHA256=6A4C5A1AD02D922D5F837CBD2704A86C139B0A57534CDB35CB411400EEF0BE7D,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000242955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.703{8D845A55-23CD-6260-CD02-000000004402}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 10341000x8000000000000000242954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.513{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-23CD-6260-CD02-000000004402}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.511{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.511{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.510{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.510{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.510{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-23CD-6260-CD02-000000004402}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.510{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-23CD-6260-CD02-000000004402}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.510{8D845A55-23CD-6260-CD02-000000004402}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000242946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:29.303{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7A6313AA809935CA38174DF79A77105,SHA256=4281A0C589C01604AC4BDC06B60791190BD6E51D427195431C8C970F286D05B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000242979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.980{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.980{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882963CEF5611B209A158BC203E85E81,SHA256=912CA0679D89669950F9537BF86F3798CF1C440C1A4A6CF7FDD31A41C537A901,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000242977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.842{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-23CE-6260-CF02-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.840{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.840{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.840{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.840{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.840{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-23CE-6260-CF02-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.840{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-23CE-6260-CF02-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.840{8D845A55-23CE-6260-CF02-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000242969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.400{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000242968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.398{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EF39331655B8108BAFCB4AEA13C8F2D,SHA256=B81BFB645F48A0E3D54ABAA6A4D8C208B74D84021F8A04A9E764F0C589D4EF87,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000242967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.378{8D845A55-23CE-6260-CE02-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000242966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.376{8D845A55-23CE-6260-CE02-000000004402}60401324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.179{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-23CE-6260-CE02-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.178{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.178{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.177{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.177{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.177{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-23CE-6260-CE02-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.177{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-23CE-6260-CE02-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:30.176{8D845A55-23CE-6260-CE02-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000242990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.956{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-23CF-6260-D002-000000004402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.954{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.954{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.954{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.953{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.953{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-23CF-6260-D002-000000004402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.953{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-23CF-6260-D002-000000004402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.953{8D845A55-23CF-6260-D002-000000004402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:27.711{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56175-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000242981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:27.711{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56175-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 534500x8000000000000000242980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:31.022{8D845A55-23CE-6260-CF02-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 534500x8000000000000000243005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.827{8D845A55-23D0-6260-D102-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000243004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.826{8D845A55-23D0-6260-D102-000000004402}19124080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.621{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-23D0-6260-D102-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.620{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.619{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.619{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.619{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-23D0-6260-D102-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000242998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.619{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000242997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.619{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-23D0-6260-D102-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000242996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.618{8D845A55-23D0-6260-D102-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000242995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:28.564{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56176-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000242994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.162{8D845A55-23CF-6260-D002-000000004402}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000242993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.160{8D845A55-23CF-6260-D002-000000004402}50165640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000242992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.088{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000242991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:32.088{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3D341FACD7AF9CF01762525741C77B,SHA256=62B9789649C363DB4C6D1177410D65DC9A640A700111F97EFBC88FBB0C129E0E,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.979{8D845A55-23D1-6260-D302-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 10341000x8000000000000000243030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.782{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-23D1-6260-D302-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.780{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.780{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.780{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.780{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.780{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-23D1-6260-D302-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.780{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-23D1-6260-D302-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.779{8D845A55-23D1-6260-D302-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000243022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.632{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000243021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.632{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000243020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.632{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF37958d.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.630{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF37958d.TMP2022-04-20 15:16:33.630 11241100x8000000000000000243018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.626{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9HQHJ3T0MXD2EPR8NYM3.temp2022-04-20 15:16:33.626 534500x8000000000000000243017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.301{8D845A55-23D1-6260-D202-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 10341000x8000000000000000243016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.299{8D845A55-23D1-6260-D202-000000004402}31724696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.112{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-23D1-6260-D202-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.110{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.110{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.110{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-23D1-6260-D202-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.110{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.109{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-23D1-6260-D202-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.109{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.109{8D845A55-23D1-6260-D202-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.098{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:33.098{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FD39E9CD5DD8E7B37372D38A2EEBD0,SHA256=00F3C9BF5FF9EFCCC527BEB77FC15C92AB170DF2038F1048D1ED62102BBA6827,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:34.628{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:34.627{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13BA0AC90121AEFD259BFA45E0F9109,SHA256=1152C8BD028503FF2C35B714DFB98071DD47423B563A1150CD4C91C8765823BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:34.615{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:34.615{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:35.715{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:35.714{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83285A73009F1C141E268AED3990E43E,SHA256=CEFD7ADE080797DFE4AC855B609D8A28AD886C6D824F7520BC2710D700F834DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:36.819{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:36.819{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AF97A36A0FDC26A2CBC445821281BA,SHA256=FF13261EDAD82F0BF9221733CE4A7985924837D1DF2900903DF0CC3CF90E1D0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:37.923{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:37.923{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B50ADA6157DEDD030652FE87A52E247,SHA256=66C738B7130BF36940F11987F738B248E3DC2C86E7341D9A7C24AB8F247FB47E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:34.539{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56177-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:39.025{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:39.025{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5B3579B8941A777AF223A9522790F9,SHA256=B548764E6B3BF07AF3864534B439C82FA79B84909A5AEE6374B0132C6F500F91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:40.128{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:40.127{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04C189BDA724EBC3A75A9C9E41B5BD5,SHA256=D7A67FBB4FEF92B5B9F02A354C9411E0CF4BB99BA80CCB053F8BDC0C4B5C0362,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:41.233{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:41.232{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6D799DFBDB2975EBB71D3876BE5363,SHA256=90AA32C888CF76ACB6D96EC6316D67C6B5F7CE068502898F9D35ED96BD3EF142,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:42.237{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:42.237{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E678DFA2A5ECD84C62F9CE2AEA137E,SHA256=E28619475A24109EC94A1730F3E0009A3FE6C14CAA6A2861ECF8C483B4366604,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:39.607{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56178-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:43.241{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:43.241{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07596AAF331C8C33A59A525F2E8F437,SHA256=E1BCAB5830E548B9651601DF9E5D50AACB21180F6312E1EAF4FE66787EF08A41,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:44.245{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:44.245{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C716E009AE79311139FBE689677163C2,SHA256=40194F54692237F8B90494A0A1133B90458C9DA0889CBD93CF06BD081B651B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.947{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-058MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.945{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0582022-04-20 15:16:45.945 11241100x8000000000000000243058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.944{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0592022-04-20 15:16:45.944 11241100x8000000000000000243057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.348{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.348{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E81542756004B07CE69A323A5B2D76B,SHA256=B66D1BEF8C0ACBBB5FB307479FC21D1D9BBFE7AB259D5EA25FB03D4CF305A423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:46.945{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:46.455{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:46.455{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57710ED5EA905802001EC1CCF04E7632,SHA256=6E211949880651C6E4BEB985696D3B50241074281E58200F8282ADBD5CD85A69,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.561{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F454F625CD56E8512BBE82D50CD450,SHA256=31463AD627DE8A90278B48DC56B0B5826EF8BAE6AFC9C5FC005A38B773A05DCE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000243070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:47.444{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 11241100x8000000000000000243069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.444{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML.TMP2022-04-20 15:16:47.444 13241300x8000000000000000243068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:47.442{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Config SourceDWORD (0x00000001) 13241300x8000000000000000243067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:16:47.442{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML 11241100x8000000000000000243066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.441{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML.TMP2022-04-20 15:16:47.441 10341000x8000000000000000243065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.430{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.429{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:48.668{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:48.668{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D268DE34EB5E3E8D2159ABD3CD8A15,SHA256=65D7CAE0A2B764F5CEE410299E4701EA2A22D9BB1D27D56A331C7157C37A00DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.848{8D845A55-159D-6260-0D00-000000004402}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56180-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000243077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.848{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56180-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000243076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.485{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56179-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000243075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:48.273{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:48.270{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:48.270{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.674{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.674{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF59F7F0EBDAEFEE61A09F342293EE20,SHA256=3BD7D765064638960B8E60D39BAB591B475AAB4151BAC2400DAF1F5AFF808A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.863{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9890:5ff5:cd7:ffff-65535-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000243088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:45.863{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local65535-trueff02:0:0:0:0:0:1:3-5355llmnr 11241100x8000000000000000243087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.355{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.355{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC4085B00DA31DD1F96F19BD0AEBE0C2,SHA256=B9F3AD590F9679C66A2E38584781A64A9108F2C277FF188E12892F7CA03EEBBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.276{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.276{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.102{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.099{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:49.099{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:50.682{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:50.682{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718175D3C3700C09A597F8C80B4BE124,SHA256=CBF28353517AF1954DAA662E3D728224F0253F8521584B74973F8BBB30ED264B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.513{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56182-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:47.513{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56182-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:46.684{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56181-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:46.684{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56181-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000243099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:51.786{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:51.786{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01B15018071DDD33DC013AE7420EEC3,SHA256=8939CC46EEDA53B4C0BCDD9D23903859C15A412EE7F3E56A1899C79C7F7E041C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:52.793{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:52.793{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50ECCF73BF29CD1C637E1DFEE5F87D16,SHA256=58D885AD5CB7C4042FA883650EAA63EE2610DBCC9AB6FCB8639B202353BB7034,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:53.897{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:53.897{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EF69C1C15AE501EB4510E67D8D9F36,SHA256=716746E42F5F67D46ED88EE71C07C098B4FEEE55B29FBEBA300FD40A65AC149E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.610{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.609{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.608{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.607{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.607{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.607{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.607{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:54.607{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000243104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:50.559{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56183-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:55.489{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:55.487{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346E580E85D904607F22B662420E44DD,SHA256=A38721C62BE7F3B39B4844C1BF7100F4BA36C4EE7574E340971E9B656EC376AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:56.520{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:56.520{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F114D0942DCE4E3219EB201C821E1488,SHA256=53249E2BC7F2D4E62FDE10853AAECD7F2F5D91069C8DE0578C2E38DEFF2D4693,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:56.097{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:16:56.097 11241100x8000000000000000243152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:57.623{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:57.623{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A97A8F14180CA1E330E003F48063F64,SHA256=0E83B9131A0012D06DA1DC91C791748F7B0B80B6252ED4770C634D3E19D0070F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:55.614{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56184-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:58.627{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:58.627{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968A9CEA3E804D9A56DFA756A2CD3B8E,SHA256=F7206A5FB98C16CE03974F77E5F6BC74ACC69A6CD104BCF71B066A09A04B9C6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:59.732{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:59.732{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BACFA9A2AFA6A2D087E645630ABB47C5,SHA256=C7EF6308792592C06C66F77555A061C3A5D315EB3AEE4C28E8EF86847EA2DC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:59.502{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=934206ED1DA1853B8267C64CFA7FBE92,SHA256=33AA79CB0C83473C9CA1DE0093AD9F52E0AE71A441910F4B4BDFEE933BA62222,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:59.278{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000243156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:16:59.277{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1128AA39B65B260122B998DC1DA395D9,SHA256=AB05E8FCE71FD6D73E80E0E7B63CC0E8A18EC0D5F9078AE4CE5F9EDB01981F5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:00.738{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:00.737{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692059C401D0AE5FBC095DD12B71AF52,SHA256=639C532DA36D0F2B58CD26B16C54CF048FA0A3C315AC9569782D307D860AE863,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:01.742{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:01.741{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658BAAADA2C224795AB78033CC088442,SHA256=05BC927EE0BC271AF455AC592525F263B93C9BA9D926AD20FB8F215A0BAA7522,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:02.845{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:02.844{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB7573413FADAA79BA81B5D7A6385C0,SHA256=1424EBAB413E75940033EF4537AA99BECC83A42F8FAFEE2ABEBA8301BC36EE02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.948{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.948{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CA130E36E6A4F3CC1D79A4BC2B6359,SHA256=16A3D5129A2888BF7B12BF2CE03A97CCD01E12565C7E1CEA008A04DF11CC89EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.301{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000243167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.301{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:04.951{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:04.951{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39112B9F55CFBE352E6926B18561C89A,SHA256=4CABC0EF77F42A923168C098132E764B228F7932AD6E864C1E7EAB98FDC0335B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:01.424{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56185-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000243178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:01.704{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56186-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000243177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:05.377{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-1596-6260-0100-000000004402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000243176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:05.372{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:05.281{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:05.271{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000243192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.793{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56191-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000243191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.793{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56191-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000243190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.700{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56190-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.700{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56190-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.692{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56189-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.692{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56189-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.690{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56188-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local49666- 354300x8000000000000000243185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.690{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56188-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local49666- 354300x8000000000000000243184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.690{8D845A55-159D-6260-0D00-000000004402}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56187-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000243183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:03.690{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56187-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 11241100x8000000000000000243182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:06.303{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:06.302{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5810781F83169FA5BF4FC46EEAB7EFF4,SHA256=E6A0FF2E15A877F3373CA47BDCFB7F7FA0D8822CB495E1FE1A2CE4E16F9093DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:06.056{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:06.056{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E62B4F7439544D9C3C80042D862AFC,SHA256=15450DDAFD012F0D4E21CD61EE89F410DA68B7D9F6F598572AB703EB0138C7C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:07.163{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:07.163{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD07C96F00C9AC5E9D5A84A59EAD102,SHA256=1774D1EE6D02832616E513CEEDC87FFB70CEF98B59C3AEA8A019CE73DDA66D25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:07.139{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:08.168{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:08.167{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9D41672A02D62E55A25D39A371CBFF,SHA256=0870D9EB13723B31EFADB44A9F34A7909D5A5A5B448429295CA52BD9F31D1737,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:06.443{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56192-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:09.272{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:09.272{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E889A7459450A94BA724CACB2AF8C07B,SHA256=16C013680D0C122468FA612F19CA499DCB9817B12BC1D179E3BD66C82B17D07C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:10.379{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:10.379{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9613FF274F3C089F7BE67C82ED924228,SHA256=C5A2C005BEC3160D9B1ABD7D20A6504BACFBD24D6E2D6D53D9D4FD4CEF3074F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:11.386{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:11.386{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87851BC1BEB8E9FE498788FCB73A09FC,SHA256=58E719671FAD6398D2C8BB59197CB5D3A089AA49998C85229754843168F8D948,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:12.489{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:12.489{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE660C4B772C2888AF53ECC3CEEFBBBA,SHA256=F7ECA8D63456C91C1D5EB4A349713866CE63EB0E9FD034FDAF3D6297D701C212,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:13.594{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:13.593{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8C9DBD748C9DDFDACFEF63521B6868,SHA256=E5C6D6E29144973C8CAD8CE28525C954DDECE70CBFB72186EEEDF900A6BEC1FC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:14.600{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:14.598{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E140DE07AA0964546BADEA56499EA308,SHA256=D21FFA68245273AC0175069EA876CA4CEFCFEBF765A2A0694866425FACFF8548,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:15.704{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:15.704{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DFB1C5ACC4454A44662749DDDD3F2C,SHA256=A9814BD7D8F0C226A83870BDA744E3ADB0E755B9B46CC569ED754A9CCD7E45FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:11.483{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56193-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:16.710{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:16.710{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446D4BAA98599BE5EDF6149CD9C42D2E,SHA256=F6990BA4CBE67AC067C914855533FC40F69DA4270FCFE105F329F6D6F36B0D88,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:17.816{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:17.816{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413813773BA3A6EF2E23E031BDB1F14E,SHA256=02C4186675AF6058C88B1B42563BD0B99E551436176CE6F93B6F4487206E9EE2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:17.129{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:17.129{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F2E51EC0A5348540D93A6D6295C2672,SHA256=61E3224EB4D4BBD0605A97AED734FA1A7127899A27B04EAB145B4D6746340F62,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:18.922{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:18.921{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F7A01BC058F4E8D665B95761A55C2E,SHA256=F08AE1B8E21DF1CA7D9428F42A08E9297E157C2BAB33D48EB0D4EF64023EECB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:16.664{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56194-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:20.027{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:20.026{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BF7EB5DE0BF6631E8A579322F60286,SHA256=AB6C28BFC4078C753E32098D79BA86A3FFA771A6D7A8CA306B9A4284A6676C71,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:21.032{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:21.032{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F345A041F673E27A30D1AE44CC6220EB,SHA256=B3D63B7EB2A30AB70D3419D0518B42DEC96F79B599CA7C3B901A91A11A77793F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:22.038{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:22.037{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64C53155A9693D9E8B5A715A816FB4A,SHA256=4CDCFE1CE0CB92CAF8838463F765A239B09D1DC4F77EF1B34332FCA88AEA7ABA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:23.142{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:23.142{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED53D8D66EBA8B304E73C29BB8A92CE,SHA256=D75BB5CF12F73F1B69F511F8F6D6EF5C0CC608A08933C3407F724D8DF8C38419,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:24.246{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:24.245{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630E9425C6C6E491FEEA513F95C98A86,SHA256=C8FB49FE4EB0161BA20A22637A53A77A3E4372F34B04A5F4774182E7B450BA73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:22.507{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56195-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:25.350{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:25.350{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40209A9C02ED0C01C8D7AAE1029567DB,SHA256=8E39933DD28192E4D0C6D0345BA9B1F638D31762F19D36257D63E5A3678967CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:26.454{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:26.454{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B427DB37CF6A83062508724AE3AC22,SHA256=E4C418CC20B03AB1EB7FA02A937AD0170033BC2F8B7EC5E2214FD843371F8FA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:26.093{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:17:26.093 11241100x8000000000000000243240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:27.560{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:27.560{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53928ACF52EBE98C78EEE9C5B557B804,SHA256=9D5DC2E77F0BAF2599CB58AC8B6F3F5CF42CF2F78BB1D280B43890EFCD72B575,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:28.664{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:28.663{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEFC827BA1A25C883BC4015C92B4F294,SHA256=AD0269FB7FFC90551FFCE8B6574ECFEB00B0C256F699982B7FCC2678DF2D889E,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.690{8D845A55-2409-6260-D402-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 23542300x8000000000000000243253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.687{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2D7666CAF536EA5129D8E0EEE8184372,SHA256=5A01812CBB9A84E19A1EC1195C2A43374C6FF54628DB6A9B9DDB041FE1947BC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.669{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.669{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76603676127B4C654FA299FF3606E984,SHA256=4091164FD6FB9FA137B1C92208869B4B8E96C2E02D0F33E7E11ABB86328AD97B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.500{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2409-6260-D402-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.498{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.498{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.497{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.497{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.497{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2409-6260-D402-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.497{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2409-6260-D402-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:29.497{8D845A55-2409-6260-D402-000000004402}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000243278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.839{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-240A-6260-D602-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.837{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.837{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.836{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-240A-6260-D602-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.836{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.836{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.836{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-240A-6260-D602-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.836{8D845A55-240A-6260-D602-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.776{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.776{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9206DF63C77E2E2077A29AA2924F20E,SHA256=1AD0D98513EECDDCFDC9F6038CE0D02C3023F0ECDE445D0F1FF60FF0255B2AF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:27.713{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56197-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:27.713{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56197-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:27.559{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56196-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000243265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.400{8D845A55-240A-6260-D502-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 11241100x8000000000000000243264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.355{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.355{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A19A29D38D91FBA8CB741F7B2D286257,SHA256=C62114B8F473365FCBBB25DE1C0017BD287DD715EB792C3B120225371AD8E94B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.167{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-240A-6260-D502-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.164{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.164{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.163{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.163{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.163{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-240A-6260-D502-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.163{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-240A-6260-D502-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:30.162{8D845A55-240A-6260-D502-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000243290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.944{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-240B-6260-D702-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.942{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.942{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.942{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.942{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.942{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-240B-6260-D702-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.942{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-240B-6260-D702-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.942{8D845A55-240B-6260-D702-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.785{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.784{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ADA53E19DC7BB0D271AFF2E6A40271,SHA256=F55B05D53B265A62B66813A6F302E459B8AEC4B964D1DF01560EE1D9800A167B,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.017{8D845A55-240A-6260-D602-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000243279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:31.015{8D845A55-240A-6260-D602-000000004402}48605640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.900{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.899{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FA757A697AD2862A96D4F55E0FC37F,SHA256=4628DE20407ECFCABCD671B5B5E8636DE53AFA402DFC0A73A92617707EA0DDD7,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.777{8D845A55-240C-6260-D802-000000004402}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000243301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.775{8D845A55-240C-6260-D802-000000004402}6245728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.606{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-240C-6260-D802-000000004402}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.604{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.604{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.604{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.604{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.603{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-240C-6260-D802-000000004402}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.603{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-240C-6260-D802-000000004402}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.603{8D845A55-240C-6260-D802-000000004402}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000243292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.114{8D845A55-240B-6260-D702-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000243291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.113{8D845A55-240B-6260-D702-000000004402}13004080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.959{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-240D-6260-DA02-000000004402}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.958{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.958{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.957{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.957{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.957{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-240D-6260-DA02-000000004402}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.957{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-240D-6260-DA02-000000004402}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.957{8D845A55-240D-6260-DA02-000000004402}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000243314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.443{8D845A55-240D-6260-D902-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 10341000x8000000000000000243313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.442{8D845A55-240D-6260-D902-000000004402}46645144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.277{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-240D-6260-D902-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.275{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.275{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.275{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.275{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.275{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-240D-6260-D902-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.275{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-240D-6260-D902-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:33.275{8D845A55-240D-6260-D902-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000243325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:34.149{8D845A55-240D-6260-DA02-000000004402}2524C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 11241100x8000000000000000243324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:34.009{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:34.008{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CA9884551EF24B85C6FD33D81471F2,SHA256=F8195C401B28751DBFF32054FBA4E7C189B6677D0C37E0FBCC33140CB70A8623,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:32.644{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56198-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:35.017{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:35.016{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D583DCBC5BE336D47BD3CEE1765C16,SHA256=15D71307DA287A44A3BFE4DC5529D64600A700B1EE7EFB8FACDE27FDCE53E951,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.120{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.120{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253E155DD2D3A9454868047064A6942F,SHA256=FB6CD3585C0A2D82FD1003B8267D4ABC282C105BEB97277269A8E6F603FF3CA1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:37.223{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:37.223{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F577BDF24EC4031C202E63F5AE90FF,SHA256=509BBAD30772DAD62F93B75A760E26A5B9697D0E60401B414F526BD9B5ABB974,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:38.328{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:38.328{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4E3B74AB23E0DE3BC03D5281BD0E83,SHA256=7928840831DDBF7E21A1B846B69958ED48DC94C5A7DC6A231A9A6766060CA343,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:39.434{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:39.434{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF1EF5549492F115E80492B016924C4,SHA256=1ACE8B03A9AA58E933E6D0C57EE164DF87F0AAC47DF18A9600A816CDB436ADAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.454{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local57538- 354300x8000000000000000243344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.453{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53480-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domain 354300x8000000000000000243343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.453{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53480- 354300x8000000000000000243342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.453{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:9890:5ff5:cd7:ffff-53480-truea00:10e:4424:584d:85c0:740f:488b:d45-53domain 354300x8000000000000000243341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.452{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local61092- 354300x8000000000000000243340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.451{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56615- 354300x8000000000000000243339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:36.451{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56615-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domain 11241100x8000000000000000243338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:40.437{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:40.436{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A2330B523E65B92A85CECD0CE0294AB,SHA256=AAAC6075CCAE5A0084193D23A7DB084A1CC9CC449EF32EF2B8CF71428F307605,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:41.443{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:41.442{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809F05E5049F65832804D09FDB2B9179,SHA256=7A8535C0A079524619700E75E91858582999D3A5C74E9C9120AB6F4A6299D475,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:38.438{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56199-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:42.546{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:42.545{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB85E7DB48C56D63FB5DC5D519F67793,SHA256=3305743EEF94C8B8F39AD3724D99D74EF37F90990CAAC2773570E76298094740,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:43.650{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:43.650{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2FB5D6B6B8BF81A0029DB6146AE099,SHA256=5B399D01307A0A67351FED7A95ACFB06F94FFA59CD74BE49F0E3BCA20C5ABDC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:44.754{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:44.753{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32EECC3DEBF70FE26DA3ED90F206A87,SHA256=72DF2958120564B55ADA5843C7BAEF559D569B36721F91D54636B5904C855FCB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:45.856{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:45.856{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790E2345C8F1567A1F2712ABB80CFCA7,SHA256=C9A201E7097AA1CCE8B63778E11DF03FBB15D0CF9C0117E794708EF2BA9C4FE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:46.864{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:46.863{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA79CF7ABDA2C91190D3479C3852509A,SHA256=F5C82D07C17EBEFC8238A0AC299A2B3E9D99FA21F498F61ED623C76DFB3E4EAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:43.618{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56200-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:47.967{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:47.966{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5910211C809113F6E0BD47ECDE322C0,SHA256=B329273C188932A29FA4F881B26EE0B48D5919469D1FBAA4860E04783136858A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:47.449{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-059MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:47.446{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0592022-04-20 15:17:47.446 11241100x8000000000000000243360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:47.445{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0602022-04-20 15:17:47.445 23542300x8000000000000000243365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:48.447{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:49.069{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:49.069{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017182EDE1D12D675A8E4D6A8E522139,SHA256=09750379D8205BF0C95C9C1FED75BDB319979DD9243038292368C2C9F34AC316,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:50.173{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:50.173{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD863430F4481016354EFF1A47A2534,SHA256=8EFB40A02761C3FEEF9DC96BA4F0967C407E98C97FFF4284370FE69C18470BCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:48.648{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56201-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:51.277{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:51.277{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCDF705E4C6F98E2270659924021499,SHA256=04707859E8F5BFAD55D28DCD8A6CE24CE23F058C823B77B05EB6011E54B6C04E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:52.381{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:52.381{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342A96C714863A1B4A4FE8575EDBEBA3,SHA256=D55AEBDD089A93613AD8B74C29B24698025BC0BE08D946577320B58FA6AAD24D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:53.389{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:53.388{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC800B74BC2B8812BF5E08DA276F271,SHA256=4D928B4BD8723733424F9A64B352638F56C86FF4D19D079356E15583FCAC183A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:54.492{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:54.492{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D9B74A61C15997E59C6E932A530B48,SHA256=C643113823BC0FAE6D3A01DC63C383508495A1AB1DF234E8972431DE7998AF2A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:55.497{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:55.497{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC268941DBBB59AB7F34C75B8368E7E,SHA256=B8A5924F7D55026889352E24EC682F3F81314A5F111E2E148CE06971A4C3797F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:56.604{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:56.604{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBB09601D7CF280BE8FD76C6D3880B7,SHA256=3BCCB03758B17F95F9D5C3F01716B0C6B56CB3AA4BAA9D793D94FDFF8E5D5D66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:56.093{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:17:56.093 11241100x8000000000000000243385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:57.609{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:57.609{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23E644E983C5448910A17BA725FCB711,SHA256=13622D25048D2AD87CC07F0B64E3A600C40E7FFA7DB96F3DB758EBDC703536ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:54.457{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56202-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:58.713{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:58.713{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A663DFDD5E17FE86B2D29FD0DC2D08FB,SHA256=D1A65F4BA8A852F429FF4B295BB8A189895ACCC324491F6AE5AB896EDF42848C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:59.912{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BAC425A781384B55CFDBA0C7E3F8578C,SHA256=B9259DB1FDF63FD00CD53CDD62F6A7C95A4EBC1AFC26D029D105DA0A2B9C4AAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:59.719{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:59.718{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1A6C767D3C9D8C11F1E16D81BABF26,SHA256=756396C977DF39F6B99246D3C8BD479952DF9ABD97E510F5CC28183508DD445F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:59.276{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000243389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:59.276{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DC7198A3C42A414B37537C4AE5586B7F,SHA256=12630239C273BEAC0AF008F13673FB71751DC7887E7453A53E046C5282EC8594,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:00.724{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:00.724{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93714E127C4878C7236A941C8EB134FD,SHA256=FD19D970C22B191A2742092F53AF7F88753A76649BDE7C71ECA0D6118F97D603,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:01.740{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:01.739{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07C627A39C27BF7DF0E42E0DF4793B1,SHA256=A66371BD139D2E720908F629A9D263419C7088ED47C7A7FE0B244CA825564C8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:17:59.591{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56203-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:02.748{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:02.748{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389105FBD3762E8B268A8ACA563B6E0A,SHA256=444CD7F1014BD301BA6E546CDBE3941C8ED4832E2E84643081FBF0FCB45B04C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:03.856{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:03.855{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51775A041E45EBBD298C313AE54DBFF5,SHA256=30C231785DC6E59CF87CECF0FCADE383429694DBEB9FAE91FCF9121067096BA0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:03.314{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000243401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:03.313{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:04.859{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:04.858{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D7917795AA09FA2E97743A299C3D4C,SHA256=E61868A7C05225ED32F09375B24B5EC952F14362F5A06EE374F74114EE62B2E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:05.965{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:05.965{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F986E0CF8D5C01B4D19B36341F57C4,SHA256=09788C4F4D0CCFB774A05766F9B293573C1EBDFF6FF941BB00E4BE93CB3BBC0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:01.720{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56204-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000243410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:06.265{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:07.072{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:07.072{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255F98E2672181F3304A9B996C30BE32,SHA256=17EEAE0E35718B4D6DF0ED0CD4482E1D055F48D74C1A8EF0037048FAF28B1545,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:05.525{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56205-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:08.081{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:08.080{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F748D13B8AB4B0E71C86B57AEECE62,SHA256=5DDB05AE1A489518537DB67F8872F673BF128768AA4886BFFAE3E964ADA2BEC3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:09.184{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:09.183{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39772AA1745D0A9C0851125C1AC8061D,SHA256=AC9D23ADCA881B77CBC7E0E3ED5693C7AE31572ED0F3438D805C634BCF42494B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:10.289{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:10.289{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C229618FED76CDDECA48E7F65D1E974F,SHA256=19B683B19DA56C52C1B7E3A73FBA73B674E56937D543B19D448BFD279FC69958,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:11.393{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:11.392{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEC726CE6832539C1B27D33959D78D00,SHA256=7A4473B583BEA7DFDB241BF5F1E21880CB4AA1F793E9A9D387B3307A3DFDEC73,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:12.497{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:12.496{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02230A4513088EDC326EC412DBA5F9A,SHA256=9C88259151E7D2C481909034C740203AF1F9B789C1CF250431D00606276E6BB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:10.644{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56206-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:13.599{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:13.599{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECD13923A103B849BF6D65944F6BF60,SHA256=FC306E5DEBF72168212551325576C67D9FEF4AA85D1B93A4BA9039EA9EDDED3D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:14.702{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:14.702{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE0555649CFB2579D6A54A40F73A82A,SHA256=6C92EF87BF22DCD7EA8B064E07DFA646710746EDBD1759863D124DEBE111564C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:15.806{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:15.806{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B4E6ABFFAD00990850C99DC308EC65,SHA256=23B259AAF5A2A001C12C0979BDEF4E7977D5012946B93A1E36DC94DC11999B89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.974{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.974{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.974{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.971{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.971{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.971{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.970{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.812{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.812{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F46E5BDA9C6E2D077FF615CB4F5850,SHA256=259DDB584B35DFA2D117A382281904B8A89BA7115AF1473792FA17E3B61FFF13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:17.922{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:17.922{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB715501E92482BA86ACB96EC1E8D5F,SHA256=5BFE227FF07A069CF94BF74D5E5B32455E204B70B9B999D3DE4B19E673DE703F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:16.425{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56207-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000243453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.456{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.455{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.455{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.028{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.028{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A97D5B44B29F40C9BC5B6F12CC4568,SHA256=1B462F93B91E0D9560E234F958A5F0F329336261ACF7EC043738B15E5EE3D02B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.026{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.026{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.026{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.021{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.021{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.021{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:19.020{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:20.141{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:20.141{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B565E76B9A0A75ACA93C9E20F2CF71B3,SHA256=0B57DF09841042C9D63DC20282099B09E863B73BED69C0C3EF2E21A7D1931925,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:21.246{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:21.246{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D7B71EC5AFF01BEB0462F8B22DB60E,SHA256=C0E11243654008894F8FFE782D0AB9E22B1026200D894E79C5BD640CD779310C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:22.349{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:22.349{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D207204D0CA66ADF6202660A0ED5ACB7,SHA256=33FE42D5B57F0256B7AFC1D9AA307AD53DDC47F6B8ED171A9D6AE20D4992B37B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:23.455{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:23.455{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5E6D9434FC2930204FC17FD599C4CE,SHA256=D763A6A30FA025ABB47F93A41326F078D5C81A1CCAD12EC6503690A022A002F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:21.579{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56208-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:24.558{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:24.557{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD0F06E3F000D213E577C5C94B52FD1,SHA256=7D70378743740437F0BE4366E5131CF51B5285BDBBCA60034E64CECC46F84A01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:25.561{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:25.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E4DA48BB63DD73FF4DC9B0807AD46E,SHA256=A3C4CFC0BC324A504599AD2BBCFF39B9BB6440BC076D863C68522E757CD1C94F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:26.573{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:26.571{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4FCECB3346CF43ED34D405BE89084B,SHA256=F6E68567FBC45870A3C96CBF8BC8835C6D238AD8E1900AE76906D99A7F0E41F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:26.094{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:18:26.094 11241100x8000000000000000243472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:27.675{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:27.675{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFEFC1271B90E49110D0836235F5CE1C,SHA256=C21C2535904A27758F0809A17A5C49E90234C74C18737849EC758154DC458910,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:28.781{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:28.781{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF2D54069FF18F8BA2E56163DC87C44,SHA256=690358DAAA44CC4C0597F755FCBB59B331CAA379F7E5B3FF675358F31B5DCB05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:26.609{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56209-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.790{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.789{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDB51D0023D8D0C50105C62BA5A7777,SHA256=0CFEA5092E8D94C0476252005222AF7CEFFE08A53339196F7D82F4845BFC6DA3,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.691{8D845A55-2445-6260-DB02-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 10341000x8000000000000000243483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.495{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2445-6260-DB02-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.494{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.494{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.493{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.493{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.493{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2445-6260-DB02-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.493{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2445-6260-DB02-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.493{8D845A55-2445-6260-DB02-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000243475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:29.116{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=933AB2C7139F0356911442E321300ECF,SHA256=D07A393D43D7F0D1330D3CE8A96B27FE1AFF1BA3148C7A6EF296BB1068CF0160,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.995{8D845A55-2446-6260-DD02-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000243511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.992{8D845A55-2446-6260-DD02-000000004402}33764204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.828{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2446-6260-DD02-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.823{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.823{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.823{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.823{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.822{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2446-6260-DD02-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.822{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2446-6260-DD02-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.822{8D845A55-2446-6260-DD02-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.801{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.800{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0935A4EA7C31707AF31C10EAA831FC06,SHA256=925319AD5881F97CB9853969EAEF9938D0CC8A1FCB120C9D06A89E08B313392D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:27.713{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56210-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:27.713{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56210-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 534500x8000000000000000243498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.399{8D845A55-2446-6260-DC02-000000004402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 11241100x8000000000000000243497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.340{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.340{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7697619E47780F6871765B76CC887259,SHA256=E314ECA39309B306C00FAF333A3E0E3DF3D40B61DE8516C84C8A3FC0F48B1796,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.164{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2446-6260-DC02-000000004402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.162{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.162{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.161{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.161{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.161{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2446-6260-DC02-000000004402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.161{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2446-6260-DC02-000000004402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:30.161{8D845A55-2446-6260-DC02-000000004402}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000243524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.998{8D845A55-2447-6260-DE02-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000243523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.996{8D845A55-2447-6260-DE02-000000004402}20362596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.836{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2447-6260-DE02-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.833{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.833{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.833{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.833{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2447-6260-DE02-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.833{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2447-6260-DE02-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.833{8D845A55-2447-6260-DE02-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.807{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.807{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18B3280B5A80C3D677967DFFC1F9C78,SHA256=5B8B40A091F2E82B59F5F98B3D2128B9A990B6B2A7EB9CDB9DBE9F78C2D50154,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.917{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.916{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9164C1E5E199282FE53A5C2CB7A63E,SHA256=7AFEC663DF1ECFD12905F2EA1C1827BF53238EDE15B5E37F3FAA990456CF0782,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.710{8D845A55-2448-6260-DF02-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000243533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.708{8D845A55-2448-6260-DF02-000000004402}51165816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.498{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2448-6260-DF02-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.496{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.496{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.496{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.496{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.496{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2448-6260-DF02-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.496{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2448-6260-DF02-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.496{8D845A55-2448-6260-DF02-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000243564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.828{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2449-6260-E102-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.826{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.826{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.826{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.825{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.825{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2449-6260-E102-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.825{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2449-6260-E102-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.825{8D845A55-2449-6260-E102-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000243556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.629{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000243555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.629{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000243554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.629{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF396a4d.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.627{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF396a4d.TMP2022-04-20 15:18:33.627 11241100x8000000000000000243552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.622{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LLMBLDZ44G5ESJQF6EOR.temp2022-04-20 15:18:33.621 11241100x8000000000000000243551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.351{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\1huziwj5.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F2022-04-12 13:31:22.974 534500x8000000000000000243550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.351{8D845A55-2449-6260-E002-000000004402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 10341000x8000000000000000243549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.349{8D845A55-2449-6260-E002-000000004402}59044080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.246{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2022-04-20 15:18:33.246 11241100x8000000000000000243547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.246{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2022-04-20 15:18:33.245 11241100x8000000000000000243546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.239{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2022-04-20 15:18:33.239 11241100x8000000000000000243545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.239{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2022-04-20 15:18:33.239 10341000x8000000000000000243544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.162{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2449-6260-E002-000000004402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.161{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.160{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.160{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.160{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.160{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2449-6260-E002-000000004402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.160{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2449-6260-E002-000000004402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.159{8D845A55-2449-6260-E002-000000004402}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000243577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.546{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-04-20_151834MD5=3DB1E293ACA5E7A7559FC292E1F2B25F,SHA256=57DB6ED7481AE48F63BF2AA10CDA81A6C7CDA7782334071B04A9893A9EB2E1BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.537{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xml2022-04-12 13:18:48.382 23542300x8000000000000000243575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.536{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=7DB5B68C526D2B4002F6BB72B7C5F7F8,SHA256=FA39A46562A507323D8AD7F29A48D452FC707DCCF4DE3693C28040735B8F6B28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.391{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.391{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8E85BD5E1ECAB66B226C418D6496BC,SHA256=77E718CBCBB201056A8000E33CB51378533B5FD76607B9570B999BA51A62ED58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.659{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53846- 354300x8000000000000000243571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.657{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local63261-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000243570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.657{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local54167- 354300x8000000000000000243569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.657{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local54167-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domain 11241100x8000000000000000243568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.268{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xml2022-04-14 17:01:56.838 23542300x8000000000000000243567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.267{8D845A55-1E68-6260-1002-000000004402}5452ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=EB5A06062A409BFA6044822406FD6681,SHA256=334550DDAE5E36195F03D6A5370819B4B251D0A2573B310F6953E001D12C15CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.260{8D845A55-1E68-6260-1002-000000004402}5452C:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-04-20_1518342022-04-20 15:18:34.258 534500x8000000000000000243565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:34.008{8D845A55-2449-6260-E102-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 354300x8000000000000000243581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:32.486{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56212-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000243580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:31.670{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56211-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 11241100x8000000000000000243579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:35.341{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:35.339{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C49C391D9820C04EF34650ED743FE0,SHA256=C155AF35755B93AC647BBF2D4F0B4B8B3180B1331DA53C9C6E3A460947681727,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.810{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53796- 354300x8000000000000000243585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.809{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local52799- 354300x8000000000000000243584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:33.784{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local59486- 11241100x8000000000000000243583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:36.344{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:36.344{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7614BDFC5BFE3E75B9E3A60BC66F49,SHA256=3416BAAF576CC8A7B2F39DF40C9382F0F5EFA0188FBE5CD43F8A4569104BE9A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:37.450{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:37.450{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6F9E1AA8C6B944E80440EC865073A2,SHA256=904D216C2026AA28ACEF7642BF06CD67C13E9680542555D8884C2D416848AB39,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000243589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:35.409{8D845A55-1AE7-6260-9101-000000004402}6032e10109.dscx.akamaiedge.net02600:1408:c400:1888::277d;2600:1408:c400:188d::277d;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000243588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:35.396{8D845A55-1AE7-6260-9101-000000004402}6032e10109.dscx.akamaiedge.net0104.104.94.85;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000243587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:35.395{8D845A55-1AE7-6260-9101-000000004402}6032www.hotels.com0type: 5 ipv6-global.hotels.com.edgekey.net;type: 5 e10109.dscx.akamaiedge.net;::ffff:104.104.94.85;C:\Program Files\Mozilla Firefox\firefox.exe 11241100x8000000000000000243594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:38.462{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:38.461{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006E62FD63D5D1F73E662A856C2C9941,SHA256=D6C1660BB799C7E6F8A8810611A56B5A86FC2367CA3094A61D006A7A8BF9FB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:38.237{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\1huziwj5.default-release\cache2\doomed\28782MD5=B35213774A7C4662827D06AD6266CD72,SHA256=32756A64BA5E926E10E452B30A3304CA2DE6BF39B7A808D33BC424B96A107FDC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:39.569{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:39.568{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D00BB92F79EFB784A1DFCA70285DD4,SHA256=196386071B56744033B0921E2AB73741F93B06F0A2EA1186A5C09299B52F653C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:40.574{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:40.574{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3508386413EA56E18B77510BCB255DC6,SHA256=2586E0DF033B1418B17A9CF7B465BD29D6396D51C605B1543C5D4B38094FEA2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:37.524{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56213-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:41.583{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:41.583{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE237FC25506B967B0691AEEC68D1BB1,SHA256=BBA4CC7040F66C08F922CE7CB5D0D903DFC15B2C97ED0D00E4B5E2F95E4E4E50,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:41.287{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:41.286{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=402711973CBFF44FEBBBE836D1D4B805,SHA256=C6775DD35F1761A4C64F79F147A0541CB415707A1B19D1702181FF06D49E984D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:42.589{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:42.589{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984FD51464849E92095177E53F2014C4,SHA256=6D2C57D0E6315D383CC2C811BE4779A74D712D73EB963AEC01D9E15290F55EC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:43.694{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:43.694{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A87458007B2E05D307CE0E9E7F9E45,SHA256=86F2871013F30292694406ECF3F6C869EFD72295532B3BEBC4FDD4E5FEF54E00,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:44.802{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:44.801{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E2633FD370524A55A9E63B86654844,SHA256=FAF8282D76259904C7E29DF35DE6012C9275E69FDE945EA2B706194DD8A31B9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:45.905{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:45.905{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B517E3963D51B183D9F6F4F23B94536D,SHA256=2251A335F49452423618A9187DE56B569DD3114FA708C9C3CE8F70DF971BDB44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:42.560{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56214-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000243611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:45.361{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:45.359{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=E0C8333E14042EE39094E21E5B349707,SHA256=9CF2541D2E1F173EBF4AF5901282FF547F9A2B5B2C5BA5D228CBBCA691658596,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:46.910{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:46.910{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A57FCE1919FFCD68B636507A7D8905F,SHA256=76E2537D707071017DD11C45453BDCC61D869C53B09B4F27379E090D5108E34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:48.950{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-060MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:48.949{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0602022-04-20 15:18:48.948 11241100x8000000000000000243619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:48.947{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0612022-04-20 15:18:48.947 11241100x8000000000000000243618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:48.014{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:48.014{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDABDE182B7FB6C088227A632065090D,SHA256=41884F672FB429E22DB1E06677E1BDB3AC8E564335C3E693E71EDF1F8425D573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:49.948{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:49.019{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:49.018{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C105D419D1404852963DBC66BACAC3F9,SHA256=9EA53F52352D12974F94BA53670100861EAA059C7A7DF77AE90A8EE6B981D39D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:47.584{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56215-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:50.023{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:50.023{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BCABB3572803012D7C09E0129ABC06C,SHA256=932001443DC21FF3FA65605E26A49D605D59190C5A7CEEB7F041C0F1D660A1B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:51.127{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:51.127{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2DB20D50441432E1FEF9CD0CD75FEC,SHA256=5D8D0FF947AB726AD7BDFF2D629AB105617D04E20D79EAB4E31AF3A7E913C229,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:52.232{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:52.232{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EECFBC38EF2B88E00213BBA8AFD6922,SHA256=6DE387A2DBFEBD73679DCF242D9A49D9EF38B8B07A29C5DCC735C397D5AE6DCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:53.237{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:53.237{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7378E48FCBB3451E360B61E76CB8726D,SHA256=CC7C25864E5C3ED29B1511CA4028508EC1D3466C4EF68E17CB5081D31D14F6D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:54.340{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:54.339{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BE70F0062DBA68B35419DCDACC438E,SHA256=1AF7D6BD4BCC0A44FB780ACAFAC34D5886550B16F6ABEB95E3F258ABFBA60358,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:55.444{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:55.444{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74BE6263AD4D4707EAED6B227AD369C,SHA256=C036DFD48206BAE990840E93D20E90E1CF9A6D68BB6A6E713E77BDAD88B6B3D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:53.451{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56216-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:56.464{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:56.463{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D92B3C15FBA8928BDB4238DCFD3DBE5,SHA256=83BE9C26B6A0C0CB714F0A5F6A7F840FFC7D8DEEA2D97B7A54967D4BD04C2692,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:56.097{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:18:56.097 11241100x8000000000000000243643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:57.470{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:57.469{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C934F3953DA431712A947E39855D8CA0,SHA256=14B777486A5D396FAC9A925DEDA60C840952889B45D89A9651F5FD1BC3A7AAF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:58.574{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:58.574{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F165B543B0CA62C8620FEF124C944A1,SHA256=A69F6B3C0A48B88B22E0D3FFAFBF11B9F20B2CF096BE5C3D9FC565F4F4992620,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:59.679{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:59.679{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05DF12FA07E15CB6A0C6A914374574C,SHA256=2DD043487F1889CF03AD3563E738712D78039BB36C9A695FF32D7D1DC45CB32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:59.348{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1C6E27C673219548BD4FFDB73470BD5D,SHA256=FA478EC2F685A67A5859113A8A8F70709EF91AB206E38B007EC5CCFE9E60B3F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:59.274{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000243646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:59.273{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=20F6783B0F04B349FAA02988E5ADE97E,SHA256=450342CEA7A625D7F8F8E67EF7E9B8E25877C24AE98CBB57944187A2535E8530,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:00.785{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:00.785{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5841FC76541898E8C03B9A908F7AA619,SHA256=0E298E720C8F5154EF94BDB114F93D8E2BC46190952E6C8250153EC7590ADE98,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000243660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000243659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0039d1e1) 13241300x8000000000000000243658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c1-0x9424b9ea) 13241300x8000000000000000243657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854c9-0xf5e921ea) 13241300x8000000000000000243656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d2-0x57ad89ea) 13241300x8000000000000000243655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000243654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0039d1e1) 13241300x8000000000000000243653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c1-0x9424b9ea) 13241300x8000000000000000243652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854c9-0xf5e921ea) 13241300x8000000000000000243651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:00.136{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d2-0x57ad89ea) 11241100x8000000000000000243664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:01.890{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:01.889{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D785088AC52F9AC60F4F7C385A1B8B,SHA256=4599C77656E8C7C313C2369460869C2D4C17EB2B45D6B5857706BEB5210FBF9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:02.995{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:02.995{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC2278F0FFD4D153AE5304AB741BDE0,SHA256=CCD846A8E7E8A33A00B1F67AE2126BC440CB237751987F94815AA265F48F5E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:18:59.433{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56217-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:03.337{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000243668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:03.336{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:01.737{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56218-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000243671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:04.100{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:04.100{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E94A5B1C75E3FDFA4929ED720FF9A35,SHA256=8768436537951481266FFFEE73E33C669FBC9AF8F1D518BCA6695A7F59EECE9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:05.207{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:05.206{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A20C02863497A37172B13C0DC0670F6,SHA256=F533D89BFE94CBAB07E92518A9BA162886394111B56830E27F1D8BEB9A5BF9BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:06.313{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:06.313{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0531296C5BDE261F7F14F85C32D447D2,SHA256=6FBF59B24875FE606D60E513F3420EC68668E498DB3181D08562E7D71FFBBBAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:04.560{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56219-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:07.415{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:07.414{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740AAE5A69FC99C4094CE35DCE765E48,SHA256=50CBC9D870497E52043C0309E7F29176727B98E0FE04289CA50FC563F715406E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:08.519{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:08.519{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DDCC30B5874A96E91B560F43DC2EDC,SHA256=6F09D51EB69456C0B547E37EFD803C3387449CF3793C36393875D9C0E6310129,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:09.625{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:09.624{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750FC6B9AF87ED11FF4023B8BB01637D,SHA256=CD759E659746160D3CF93C969801CDD8A7C5969D4791BFFD4D3F412782CB7DBD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:10.737{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:10.737{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE632C4D95CFAF5C3D51C98A4E05D552,SHA256=F6C2F156AD96525C4694D67C99F6834662D74B0D47E47298D3F02AE6832599BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:11.841{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:11.841{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7722459FD9103FC2CC3FEBA713AD780,SHA256=88B2F43A93B0A25640EF9F9B5399C913E121BC7974746B6ACB38993FC3F80EBA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:12.854{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:12.853{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDE54C9571E0D07EF9C57DC28646CB0,SHA256=753FC6E2C17D281195492660D0A2E06DC0C12976B08E18BFE78C40541BA91104,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:09.629{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56220-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:13.959{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:13.959{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636FD7BFF89886B5D55675665EEEC076,SHA256=083E74F89ABDC8446C37625107DBB7CF0B4D944A0759EFDE4C339A02EDF615F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:15.067{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:15.067{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69181C73F42B44B1CD54A7CB95ED391,SHA256=9AFE231CE3973EBF21E76D22BB03AAD02FA5F7005A18F8BC1661364A78C866B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:16.071{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:16.071{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EC1D152BEC1FFDA1B14E82BB9AC336,SHA256=499C893889877B5898D63B0A12DA97955E98D135B2EEDEFEDB6B34E7A2DC2FB0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:17.175{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:17.175{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EB6253F9BA0BF9AE093DE89B777E07,SHA256=EAFA01E75AA3B246AD27EF385B8A20BA0E44FBC269C6E70A67B903E986D35963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:15.509{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56221-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:18.278{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:18.277{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31A6E6747756C74393EED62BF4E5E86,SHA256=B2A1AAB803F52F9B7C80164016CD83A6CA63473EB5AE8923D8623CF04D1411E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:19.283{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:19.283{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E084D86A1EE7836229BC4C4F1B16C05,SHA256=7FF2A44659CC4D460E0269D396903E26456976D09592283EEAB27BD454208E29,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:20.385{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:20.385{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3F5E120E599CFF80D61200B5271435,SHA256=7912F20466CDDBE1A1B43F262DDA31C7EDF7D9F4373B73D702145B306BEE16CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:21.489{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:21.488{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0B0994187D37223B79286BCCC95960,SHA256=F4245C5C58F1CC6CE93DAFF9851BB3F2A0998DBD03A0A17C6ADDE9BF894BCBCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:22.493{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:22.493{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EF4D7499B7B50FCB3FC5A665C1B741,SHA256=E9D55DC2EE9E166C29A076FE7AD7A29513D640C19CF853246FEA4D5FA479BE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:20.528{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56222-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:23.596{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:23.596{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C9371FDD57128E584695067041B05D,SHA256=594A538715FADEEDB7BC6014648DA9382F9F60BCCFEAFB20BD9992B78C7F29F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:24.602{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:24.602{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EC94766A8F067C9E3EE2EBACC61788,SHA256=707B3625543191BC980B7B37C2269BC424FAD6BF06C6BC1F92032B50476D494F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:25.707{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:25.707{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2B21AC0C2357C6D1917B04A392A679,SHA256=871839D452F2A9A3097946B0FB7BEB7781CDCF92DEB3FF501517438234246481,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:26.813{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:26.813{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1142CA15A52AEB0371C75EE828895EBB,SHA256=F37E5DA52C8C40D59479B8E20FD3D2DC2FB27B0A39514C48D59427B0717CF643,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:26.086{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:19:26.086 11241100x8000000000000000243721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:27.917{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:27.917{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CB72097707B00A5EA5BCC099AD3153,SHA256=FC5B6D590D17D5A678DCE203EDB8E1B307349F2729F83F588601F5C0784B1C5C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:28.921{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:28.921{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B14ED43ADFF2E30B549D569A3F8DB3,SHA256=7B74B8AA40FD186B4DDDB8ADF1B5A794B1C680F7337620FEAA095936F00A55C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:25.650{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56223-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000243733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.704{8D845A55-2481-6260-E202-000000004402}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 23542300x8000000000000000243732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.566{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A372D527A0E30F2AB773CA633E5F6C04,SHA256=AA81E5EEE453D203C1C19221D10C1900567659574EBEBC7DD0453A20D2EB4D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.506{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2481-6260-E202-000000004402}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.504{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.504{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.504{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.504{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.504{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2481-6260-E202-000000004402}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.504{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2481-6260-E202-000000004402}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:29.504{8D845A55-2481-6260-E202-000000004402}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000243759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.995{8D845A55-2482-6260-E402-000000004402}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000243758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.993{8D845A55-2482-6260-E402-000000004402}13245868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000243757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:27.728{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56224-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000243756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:27.728{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56224-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 10341000x8000000000000000243755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.841{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2482-6260-E402-000000004402}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.840{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.840{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.839{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.839{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.839{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2482-6260-E402-000000004402}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.839{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2482-6260-E402-000000004402}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.838{8D845A55-2482-6260-E402-000000004402}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000243747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.358{8D845A55-2482-6260-E302-000000004402}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 11241100x8000000000000000243746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.311{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.311{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B47AFB63B8505303833536316BF4A77,SHA256=2DD5A250DB3851337460F463C727C1028BD1CC453465D8CDC68B0D7F7354E56C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.175{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2482-6260-E302-000000004402}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.173{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.173{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.172{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.172{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.172{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2482-6260-E302-000000004402}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.172{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2482-6260-E302-000000004402}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.172{8D845A55-2482-6260-E302-000000004402}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.034{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.034{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A62C22E3C199509FDC82583B23BA64,SHA256=693407A2D4A231C550DE83855CEB277463F8EB1D54CF106472D50CD3F81F0AC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.834{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2483-6260-E502-000000004402}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.832{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.832{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.832{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.832{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.832{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2483-6260-E502-000000004402}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.832{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2483-6260-E502-000000004402}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.832{8D845A55-2483-6260-E502-000000004402}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.145{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:31.145{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ED1BF5BF6520B0125C532005F0F850,SHA256=2CB6668BCC9082E5313E9768D1AAFD8446DE9E8BC9C6C5D1EA65ADD63BD4DA5C,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.519{8D845A55-2484-6260-E602-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000243782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.517{8D845A55-2484-6260-E602-000000004402}60402020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.363{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2484-6260-E602-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.360{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.360{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.360{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.360{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.360{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2484-6260-E602-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.359{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2484-6260-E602-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.359{8D845A55-2484-6260-E602-000000004402}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.252{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.252{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0068C1492499E622C6FB58D7E326E3EE,SHA256=07D4BE6238AC831ECA99D64885775A95576FF489B45F5AF0083250EFB59D6B32,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.003{8D845A55-2483-6260-E502-000000004402}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000243770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:32.002{8D845A55-2483-6260-E502-000000004402}55084676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 534500x8000000000000000243804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.859{8D845A55-2485-6260-E802-000000004402}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 10341000x8000000000000000243803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.701{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2485-6260-E802-000000004402}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.700{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.700{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.699{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.699{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.699{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2485-6260-E802-000000004402}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.699{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2485-6260-E802-000000004402}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.699{8D845A55-2485-6260-E802-000000004402}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.362{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.361{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5158AB9460342DA11F7E3345B5EA96BA,SHA256=DE88406299B380175261E0CEC964CCA0F2135972F1DBB7BC1A6E55D910F56D25,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000243793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.189{8D845A55-2485-6260-E702-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 10341000x8000000000000000243792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.187{8D845A55-2485-6260-E702-000000004402}48605548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.025{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2485-6260-E702-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.024{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.023{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.023{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.023{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.023{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2485-6260-E702-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.023{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2485-6260-E702-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:33.023{8D845A55-2485-6260-E702-000000004402}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000243807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:34.469{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:34.469{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F355D54B1573E38408E8608E3F16BE,SHA256=D1DF9AF0F1932D6F3368856A98FB5C885DE930B0D9264A53769C9779C18DD6BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:30.674{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56225-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000243816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.988{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.987{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.987{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.984{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.984{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.984{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.984{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.574{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:35.573{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A06095B13B03492182BA2A974EB14D,SHA256=03AD14C1224E96F9D5FCB2E5EC3752C475EDF36FE4D3A40F4FE700A18197693E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:36.683{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:36.683{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158F3E29643A9B81BD74B6F12AFC4DD5,SHA256=6703F3D5465F9EF2DAB9C2E218B76D5C8ACA8AA085F684B1401601A1DBB37629,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:37.787{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:37.787{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670181FFE54D329F8C4D358AC5DBC6B9,SHA256=3DD9A932BFC0130974F8D13C49316EEBD4B1FF64EAF219A03F4BD92E7A547234,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000243829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.956{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.956{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.956{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.951{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.951{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.951{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.951{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1F6C-6260-4202-000000004402}4852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.793{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:38.793{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C39CABDE3E16BB5C86FF4E0AE6F677,SHA256=7DDD12FAA1D598E367B12DFE297B24F5232CEB36A9AFE3419FD59F8414975C44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:39.904{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:39.903{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577978DF794541CADCB4FFD3D983AC49,SHA256=844E1337D4A39E819807FEECECEB551F4B7C6865D3887ABD91F0BA7F7CF8039C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.636{8D845A55-1596-6260-0100-000000004402}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2022-04-20 14:16:14.682 11241100x8000000000000000243857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.631{8D845A55-1596-6260-0100-000000004402}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2022-04-20 14:16:14.682 534500x8000000000000000243856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.629{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exe 13241300x8000000000000000243855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:40.628{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=57DB6ED7481AE48F63BF2AA10CDA81A6C7CDA7782334071B04A9893A9EB2E1BD 13241300x8000000000000000243854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:40.628{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000243853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local2022-04-20 15:19:40.628C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=57DB6ED7481AE48F63BF2AA10CDA81A6C7CDA7782334071B04A9893A9EB2E1BD 11241100x8000000000000000243852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.627{8D845A55-1596-6260-0100-000000004402}4SystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSysmonDnsEtwSession.etl2022-04-20 14:16:14.682 13241300x8000000000000000243851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:40.626{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000243850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:40.624{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000243849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:40.624{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000243848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:40.624{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000243847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:19:40.624{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000243846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:19:40.624{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000243845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:19:40.623{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000243844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:19:40.623{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000243843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:19:40.623{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000243842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-DeleteValue2022-04-20 15:19:40.623{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000243841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.622{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.542{8D845A55-1F6C-6260-4202-000000004402}48525432C:\Windows\system32\conhost.exe{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.539{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.539{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.539{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.538{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.538{8D845A55-15B0-6260-4F00-000000004402}38204036C:\Windows\system32\csrss.exe{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.538{8D845A55-1F6C-6260-4102-000000004402}368608C:\Windows\system32\cmd.exe{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:40.538{8D845A55-248C-6260-E902-000000004402}4664C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{8D845A55-15DE-6260-DFBE-070000000000}0x7bedf2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{8D845A55-1F6C-6260-4102-000000004402}368C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 354300x8000000000000000243832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:36.631{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56226-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000243869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.721{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.721{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.721{8D845A55-15DF-6260-9400-000000004402}43241256C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.718{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.718{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.718{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.718{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000243862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.051{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.051{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2157B80EB3173F86EAEDB27A63D2CACB,SHA256=8155CFE8B2CF828C4B48563C2DD10CFB1246A9430D227751D7CC730125E5A4E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.015{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:41.015{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C013B33714F091B931D6C7B8BEDC1D0,SHA256=73F4F19BFEC882CFD1FFC99EFA213A344024660A27A89F0E6F0EBB44784C8AEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:42.120{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:42.119{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50535C11EE4EDE6707B95F0B3183284E,SHA256=049BC725C731936B8C158A4891FBB0EDF10346C5F6524928F2637DC131238625,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:43.224{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:43.224{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59A0E2E8E5DC7E38AAA61C16D024168,SHA256=4C832A3C30762884D297B703A5388CC36E805E5A4A224BA88FC5A1D6ADBF6332,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:44.228{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:44.228{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E2C0AD687D311F05B0016A1339A477,SHA256=9DBCF2E0B9A0EAA991D0DFEACC85447C695920CAB7F832CF8F35119595A35A9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:45.234{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:45.234{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C763AE05913511126E47FA7FAABFD5,SHA256=7B35A28DF7DDCBCE894155C07660C8175362FCA3BA80E1253FB640C09949A9F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:46.339{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:46.339{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E29C6E8494BF164AF64D76F3614F75A,SHA256=ADC7E993BBF17845273306E080F90D19D0B747A3F14F7A6A149143D6395A4C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:42.494{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56227-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:47.445{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:47.445{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB35BDB3EA07978B55196124893A027F,SHA256=33DB2A054B57D548B3ADF779B8EE7C372E0735550E4EE96401AF536910206CB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:48.452{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:48.452{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E5AA653E5287347BA94BBCCA342AEC,SHA256=43A4C257D588D9D4A638079BFD181B791A1FBAD30ADB35AE19CA43C07B3C5D1F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:49.555{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:49.554{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5EF031FC485DAA6720EB67741897C9,SHA256=125C3C04B92561EAABEDC8DE8353A72EF53535F60F03031C78F33A03E9128D52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:50.561{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:50.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6351A79A2A87EFFA19A10C2E3D058D3A,SHA256=C071762CF51F6D64C825809998C8624F98253900734BF8DAF73605414BABAECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:50.451{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-061MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:50.450{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0612022-04-20 15:19:50.450 11241100x8000000000000000243887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:50.449{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0622022-04-20 15:19:50.449 11241100x8000000000000000243895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:51.666{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:51.665{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C3CB7AE8EDDAE108DEC3726FCEBD6C,SHA256=520C92C21822A73FE362610A21F7574C4C507CC9D3183CE6820AA387A9A4A190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:51.451{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:47.512{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56228-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:52.769{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:52.769{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631BD676C55DE82FDF700770DF6711D9,SHA256=734125FA1BEC2659760BB2D4AF0F6FF1988E23579E56FC6750099B1659B16803,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:53.874{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:53.874{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC22525E222AF213ED5958545283B10,SHA256=58B7630CB5AB487AE6002A9F796A18610F8D419D0BE9DC18DF207FE0F28E6C81,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:53.138{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000243898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:53.137{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=B5A04CFAA2E1217A9D83DBBB949624AE,SHA256=8C2A82837CFC632CD82C5FD154DC9411C007AE29F5B49A4D41CD25F245E77F08,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:54.977{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:54.976{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217D2A39D14C300F91D974ADDB93C9CB,SHA256=90D0A6652968BE9464B6EBDB12695BF87E000651FE5D7E437764B4A0E90EBCCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:52.513{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56229-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:56.095{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:19:56.095 11241100x8000000000000000243906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:56.092{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:56.092{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1226983FB633E9975A99A2BDDD4766,SHA256=3369F8D4AA0FBCE60F9C27A3BA1DE169ABA6D412FB492D5183835D1EE4C72122,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:57.101{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:57.101{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C5F2BB889DA86507D7672B499CE32C,SHA256=D60EF8852DD71FF33ECAA44C1A55175FA153C47B7533CDCCD0D96272DFDB7F14,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:58.111{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:58.111{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602C872E0AC4BC30CCF27930B77E57F3,SHA256=1E59F2488348CC0655C76C7A57540B7EA702CC938A86255ECDEF9F61328236F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000243916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:59.803{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=75F7FB372813174633CAD046C59395AE,SHA256=75EDF3B2C170B9015823C0B4031E4314B0707EB1375168C42205A5BF8394EB38,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:59.274{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000243914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:59.273{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BF5A44F858DB0E141C37B5D630B62796,SHA256=32AD00F7D17E72BEC8F00F4F597BC0B07F05679FD51984D7F43935448DDDB725,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:59.214{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:59.213{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8215A15621AEC49A936FCEF623662580,SHA256=EB5279925C3AB4BF969D6A16B6C886A5DF3215994D1A52B22183436E335970A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:00.320{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:00.319{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235BBC5092EDE5D5A18DF5D903F2655B,SHA256=99D4850B2160AE275AE1FEB712C9C079B77DE1116C158C7B7351B481238FA4D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:19:57.568{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56230-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:01.324{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:01.324{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB06538096253D0BB92AA6C2B5633E5C,SHA256=462C17A5DB607C2B4453C7D98FA86F0AF966911C22D6840756ED090AD4C4D06D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000243968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.509{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000243967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.507{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000243966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.507{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000243965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.507{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000243964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.507{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FA,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000243963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.506{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000243962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.506{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000243961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.506{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000243960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.506{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000243959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.505{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000243958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.505{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000243957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.505{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000243956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.505{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000243955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.504{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000243954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.504{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=8DC8BE73A389A78CF0712855FEB95E19,SHA256=28353CA8EB08D784E8188E2785C97173CEADCA7B6A2202020E03F1082AF8CCB0,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000243953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.504{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B477727DF2138332841E3C16E0034DA8,SHA256=21D453AECB117F73628A97F35397C67C21AB44266295C8902BA096840FEEE69D,IMPHASH=27EE2F560EBD20EF5BFF92A874046DACtrueMicrosoft WindowsValid 734700x8000000000000000243952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.502{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000243951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.502{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000243950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.502{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D1B932F51A706F52D3A8DF0B2F996690,SHA256=DFF697BB21D32C38EFE7E1FEA7E5636BD0362FDC8DFBEEA74DBE8A7DE23925CE,IMPHASH=66F8E3D81FC635E47987E2D0CB03F594trueMicrosoft WindowsValid 734700x8000000000000000243949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.502{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000243948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.501{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000243947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.501{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000243946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.501{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=E23B1EE95FE19AD57E8DA6F59EED5095,SHA256=E076E77F0B2D9A5D5FD8F147443456F044FBC19368FDC962560517BDF29B04D0,IMPHASH=991572CE3F59EDD28F428DD5C4D9E67DtrueMicrosoft WindowsValid 734700x8000000000000000243945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.501{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000243944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.500{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 10341000x8000000000000000243943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.500{8D845A55-1E5C-6260-0F02-000000004402}31442700C:\Windows\system32\conhost.exe{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000243942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.498{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=310F71ED43C168BF43B3825696E8224C,SHA256=F92555518BD8EC07DAD2BFBD3B97C4D47AD987EA4C89BA7D01775AB97CC6CB5F,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000243941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.498{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000243940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.494{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000243939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.494{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000243938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.494{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000243937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.493{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000243936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.493{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000243935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.493{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000243934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.492{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000243933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.492{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000243932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.492{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000243931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.491{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Temp\OIK\Temporary0\industroyer2.exe------failed: Invalid hash-- 10341000x8000000000000000243930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.491{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.491{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.491{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.490{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000243926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.490{8D845A55-15B0-6260-4F00-000000004402}38204036C:\Windows\system32\csrss.exe{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000243925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.490{8D845A55-1E5C-6260-0E02-000000004402}50682320C:\Windows\system32\cmd.exe{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000243924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.490{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exe-----industroyer2.exe -t 21C:\OIK\Temporary0\ATTACKRANGE\Administrator{8D845A55-15DE-6260-DFBE-070000000000}0x7bedf2HighMD5=90646F6A56D4F84F13B73D365CA5E4D8,SHA256=5D689C6078A30EB1E458FFB27694AB1C1D085085E9978CDDB5122A85D40CB33F,IMPHASH=2CF6FF919D8AF9170B36D01B351744F3{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\OIK\Temporary0" 11241100x8000000000000000243923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.428{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:02.428{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699886B97FDF6CE4387D898287AB52D3,SHA256=CE2CF17CEB908CC2889C8AB4E3CC40B4E99210F5E4246528B51AAC88E07588AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:03.935{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:03.935{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F75C9349CB23C696B8257D6146AE943,SHA256=F9297CC84F98D38E2330D7BEB6AAD6A51A44F772441408F30EB507FA31CF8FE9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:03.518{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000243971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:03.518{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A7CC47ABC4D515ED2321BBE5DE5430E,SHA256=B1AB66E1E6FCA76C0FD47B5D2B88B71EDFC82E87871161225195170062314D3A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:03.340{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000243969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:03.339{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000243977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:20:04.568{8D845A55-159D-6260-1200-000000004402}504C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d854ca-0x1c7fa035) 11241100x8000000000000000243976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:04.554{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:04.554{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79ADDDB082E157637DBEAC7DB704DEFD,SHA256=4A2C6E9A6590521ABF0F1A1ED6181B770AEAE6E743DAAD2814CDF0FEEB37CCCF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:05.657{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:05.657{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF36AEED034B5EBBD560723744B5F1FC,SHA256=1A5A42D019876D547380CD127A4E763D081BC83BB878E7BA45727A67CD3DCC15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:01.762{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56231-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000243983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:06.660{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:06.660{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F181E47D1CF35ED60BB39C6654E77E,SHA256=EFF15BB60A6DA1500EE3A6D172D1E4AC2C124F045E9F6E0129234E2BDF39EF60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:03.439{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56232-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:07.765{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:07.765{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F398259829BF24A20492FA339C73CF,SHA256=B804877BA79778B966C3BFFD90E2F2A82AAAA36B8287D17D165DF13D132A02CE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:08.772{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:08.771{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638CFD4891817B97A19E2FA40D426ED9,SHA256=28309F19C560D10F7A24618112ED29EB81B2926E04598366CE8CA495C1C10D5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:09.876{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:09.876{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C8D515CA1A04CE9A326186FF8B557E,SHA256=5ED723756BBEEA24F6788D23F44DBB07022A0AC0470B8F8F99E11393A2200CA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:10.980{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:10.979{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9C5E9ED041024B7FD979D4E8C5CB7D,SHA256=B70DB68AE4095436AA162DA8C8D3E47E66831C257FA10DBEC36CD815E50C0074,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000243994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:09.439{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56233-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000243993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:12.085{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:12.085{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCB60FF4BA1728964BC229D5073F6B6,SHA256=7392CD49263F6EC4AE6ED108BE722B314D5C5D277D65287ED74EB0DEEF0E1D4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:13.189{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:13.188{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C766175A031707DD2FC0869B7B745611,SHA256=4A419A3FA876FA19A4820980F0CCBCB398D9516666B59B3849FC89552200A793,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000243998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:14.292{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:14.292{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8702251B7A9E7320FE4ADD877B4EC01,SHA256=4B61EDBD69A8CF17E76F766FFA026CABA827474F5BA706A922AB925224898CD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:15.397{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000243999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:15.396{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBBB49367FE1054A4CD442C8D343110,SHA256=F557034C04BB2ACF70C1DA69EF2597E933314455B333A4D82AB94DFAF6FD3AEF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:16.502{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:16.501{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710B9C54450A82B7C538E0A79CC3DC0E,SHA256=4EBA8C81E006E85041CE6E3B06F151AD915AD859983832AC613E76B4088AE24D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:16.182{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000244001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:16.182{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=BD2B37161D27CDDA68DFFCA948E8D04B,SHA256=880BCFD44B7FB725BE59D9506501EC08C532FC4A0A8BACBF810DFD024A047F8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:17.505{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:17.505{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2E0F8A9B86C969007925D53A99B9C0,SHA256=DCE42D0EDBC3FD2892AC34EC50821465D2EA926BB416FBF49FB0C5A1335B6DF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:14.499{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56234-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:18.611{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:18.611{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C34751CFEB19893DE4A44D66F2D24FE,SHA256=C9DABEF4279D299F801BE867306AE53DFC99E7160DAEDF079E130579AE15078C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:19.716{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:19.715{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64303030C2004F51E4CE8369B7BCDF2,SHA256=83A41660EEDDC3B59B595761B34BFF45B60E59BD8A83E09D2E324E2DA2F08350,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:16.595{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local138netbios-dgm 354300x8000000000000000244010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:16.595{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 11241100x8000000000000000244015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:20.818{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:20.818{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22F078495F1FE2C3A6BA6CB0BE34EAD,SHA256=4EFA6FD63DB36A301D732E4E7610D7A9C6AEDCE81FB0D98A711E243E3059D1A5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000244087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.891{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exeC:\Windows\System32\winbrand.dll10.0.14393.4530 (rs1_release.210705-0736)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=79E4DAD0DB8F0D1258F7092007354241,SHA256=DDFCF94DA71C8F49DC505F2FC94540037A0955BE831BF59C34BFBB62A998FB20,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x8000000000000000244086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.889{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000244085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.878{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.878{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.878{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.875{8D845A55-15DF-6260-8F00-000000004402}49245084C:\Windows\system32\taskhostw.exe{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.872{8D845A55-15DF-6260-8F00-000000004402}49245084C:\Windows\system32\taskhostw.exe{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.863{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.863{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000244078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.863{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.863{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.862{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.861{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.861{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.861{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.861{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.857{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000244070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.856{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000244069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.852{8D845A55-159D-6260-1600-000000004402}12922392C:\Windows\system32\svchost.exe{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.852{8D845A55-159D-6260-1600-000000004402}12921356C:\Windows\system32\svchost.exe{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.852{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000244066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.851{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000244065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.851{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.850{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000244063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.850{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000244062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.850{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000244061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.850{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=0B1961C1D14DD3DE4342B6E7BCE700BC,SHA256=AADDD62E881A6A91A67EA1263798F4608DCEA6F59AE43A076880B2A621E2ED63,IMPHASH=A03B8A6BEC68C432E677F3D5E1DA4FAFtrueMicrosoft WindowsValid 734700x8000000000000000244060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.849{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000244059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.849{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=CC49EC90F89D864201C457C480E62211,SHA256=731D0F819FAFEA355604D22AE73208DC15D82CE44B6BD6DF7184185B88145300,IMPHASH=CE6A42C292DA87885FAB409381075FA7trueMicrosoft WindowsValid 10341000x8000000000000000244058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.848{8D845A55-24B5-6260-EC02-000000004402}59605804C:\Windows\system32\conhost.exe{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.846{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000244056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.846{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.846{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000244054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.845{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.845{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.845{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000244051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.844{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.844{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.844{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.844{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.844{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.843{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.843{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.843{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.841{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4886 (rs1_release.220104-1735)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=90A1061677CEBBF9FF41283BBDFD851C,SHA256=01448DC953A0E6B96CDACA05EDDFB2FF053DA488F258600745AAE4FE840B4682,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000244042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.841{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.840{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1E,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 10341000x8000000000000000244040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.840{8D845A55-15B0-6260-4F00-000000004402}38202388C:\Windows\system32\csrss.exe{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000244039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.840{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000244038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.839{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.839{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.839{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000244035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.838{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.838{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000244033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.833{8D845A55-159D-6260-1000-000000004402}3405556C:\Windows\System32\svchost.exe{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.832{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1E,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 734700x8000000000000000244031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.832{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 11241100x8000000000000000244030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.832{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 734700x8000000000000000244029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.831{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 23542300x8000000000000000244028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.831{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB57EF64D09896850CA1603D11FD879,SHA256=959858FE9815F38C4859AE1B8294989E8C3993B28277DBC96B20C16D4E68FC91,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000244027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.831{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.830{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exeC:\Temp\OIK\Temporary0\PServiceControl.exe------failed: Invalid hash-- 10341000x8000000000000000244025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.830{8D845A55-159D-6260-1000-000000004402}3405556C:\Windows\System32\svchost.exe{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.830{8D845A55-159D-6260-1000-000000004402}3401108C:\Windows\System32\svchost.exe{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.830{8D845A55-159D-6260-1000-000000004402}3401108C:\Windows\System32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.829{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.829{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.829{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.829{8D845A55-15B0-6260-4F00-000000004402}38202388C:\Windows\system32\csrss.exe{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.829{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.828{8D845A55-15DF-6260-9400-000000004402}43241068C:\Windows\Explorer.EXE{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:21.828{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\OIK\Temporary0\PServiceControl.exe" C:\OIK\Temporary0\ATTACKRANGE\Administrator{8D845A55-15DE-6260-DFBE-070000000000}0x7bedf2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 11241100x8000000000000000244094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:22.863{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:22.863{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D91C1982BC48606456DE72ACF0C340C,SHA256=D642B6DE8F947360B700B08F7474E3D49333D8A96229ECC496F7313F18284D4E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:22.862{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000244091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:22.862{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5ED9E935BE9F7360E27E7C277E50838,SHA256=0BC8C21C41A020EC1CC96FC4FB7678659FC588E89DD5756A6E42534B722ECE48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:19.648{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56235-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:22.243{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:22.243{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0EED56C2F9F5A4F4120BDD29EA2DB4,SHA256=D54F8B6CF9DD67D8BB723A3531F758AB4CD5832290835155F714B2D4157DCD5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:24.172{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:24.171{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADB84D252CCA8BFF651FC3BED78B2C1,SHA256=F14A18EB62D0E7418DF68503C31A183A62E868EA3C4A73D647E92D341BE32DBE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:25.277{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:25.277{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5087EF0243951881220BACEF481D4E0A,SHA256=B762FE37E54216DDAD140EEDFD72D1135E95E2EA7BC0E72EF753849EC2A5A381,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:26.381{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:26.381{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7719A8B921C9A44D396808FC29C38F78,SHA256=46F8459A4149107A0B5AF5BFF67386B55A70BD4C330EFE99CF157C24A252A708,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:26.094{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:20:26.094 11241100x8000000000000000244139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.836{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.836{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C926E0FBF035FA6A431702EA15C1FF,SHA256=0D281B11104F3B7815E611A0C385AD4F36C2F16F15385A620E570B9E4E9296F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:24.658{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56236-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000244136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.262{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.261{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.260{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.259{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.259{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.259{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.259{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.259{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000244209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.855{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.855{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7690A40C9245FCD1833E14DB2AC439BF,SHA256=FD1D8A89EF2BD666BB6099155C209718A2F10AD79D62EBAD79074BFC9B203CDA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000244207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.655{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exeC:\Windows\System32\winbrand.dll10.0.14393.4530 (rs1_release.210705-0736)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=79E4DAD0DB8F0D1258F7092007354241,SHA256=DDFCF94DA71C8F49DC505F2FC94540037A0955BE831BF59C34BFBB62A998FB20,IMPHASH=2C424150D7AE913E28B879B06042C9F2trueMicrosoft WindowsValid 734700x8000000000000000244206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.653{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000244205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.643{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.643{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.642{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.639{8D845A55-15DF-6260-8F00-000000004402}49245084C:\Windows\system32\taskhostw.exe{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.636{8D845A55-15DF-6260-8F00-000000004402}49245084C:\Windows\system32\taskhostw.exe{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.626{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.626{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000244198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.626{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.626{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.626{8D845A55-15DF-6260-9400-000000004402}43246000C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.625{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.624{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.624{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.624{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.620{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000244190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.619{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000244189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.615{8D845A55-159D-6260-1600-000000004402}12922392C:\Windows\system32\svchost.exe{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.615{8D845A55-159D-6260-1600-000000004402}12921356C:\Windows\system32\svchost.exe{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.615{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000244186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.614{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000244185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.613{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.613{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CA,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000244183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.613{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000244182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.613{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000244181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.613{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=0B1961C1D14DD3DE4342B6E7BCE700BC,SHA256=AADDD62E881A6A91A67EA1263798F4608DCEA6F59AE43A076880B2A621E2ED63,IMPHASH=A03B8A6BEC68C432E677F3D5E1DA4FAFtrueMicrosoft WindowsValid 734700x8000000000000000244180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.612{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000244179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.612{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=CC49EC90F89D864201C457C480E62211,SHA256=731D0F819FAFEA355604D22AE73208DC15D82CE44B6BD6DF7184185B88145300,IMPHASH=CE6A42C292DA87885FAB409381075FA7trueMicrosoft WindowsValid 10341000x8000000000000000244178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.612{8D845A55-24BC-6260-EE02-000000004402}1725788C:\Windows\system32\conhost.exe{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.609{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430D,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000244176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.609{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.609{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000244174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.609{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.608{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.608{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000244171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.608{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.608{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.607{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.607{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.607{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.607{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.606{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.606{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.606{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.4886 (rs1_release.220104-1735)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=90A1061677CEBBF9FF41283BBDFD851C,SHA256=01448DC953A0E6B96CDACA05EDDFB2FF053DA488F258600745AAE4FE840B4682,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000244162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.605{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000244161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.604{8D845A55-15B0-6260-4F00-000000004402}38202388C:\Windows\system32\csrss.exe{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000244160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.604{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.603{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.603{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.603{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 10341000x8000000000000000244156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.602{8D845A55-159D-6260-1000-000000004402}3405556C:\Windows\System32\svchost.exe{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.601{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.601{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.600{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.600{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exeC:\Temp\OIK\Temporary0\PService_PPD.exe------failed: Invalid hash-- 10341000x8000000000000000244151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.600{8D845A55-159D-6260-1000-000000004402}3405556C:\Windows\System32\svchost.exe{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.599{8D845A55-159D-6260-1000-000000004402}3401108C:\Windows\System32\svchost.exe{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.599{8D845A55-159D-6260-1000-000000004402}3401108C:\Windows\System32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e|C:\Windows\System32\RPCRT4.dll+20c87|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.599{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.599{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.599{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.598{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.598{8D845A55-15B0-6260-4F00-000000004402}38204036C:\Windows\system32\csrss.exe{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.598{8D845A55-15DF-6260-9400-000000004402}43245576C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e70b|C:\Windows\System32\windows.storage.dll+16e421|C:\Windows\System32\windows.storage.dll+16e06e|C:\Windows\System32\windows.storage.dll+16f310|C:\Windows\System32\windows.storage.dll+16ddbe|C:\Windows\System32\windows.storage.dll+fce7d|C:\Windows\System32\windows.storage.dll+fd5bc|C:\Windows\System32\windows.storage.dll+fc920|C:\Windows\System32\windows.storage.dll+1664ca|C:\Windows\System32\windows.storage.dll+166222|C:\Windows\System32\SHELL32.dll+9cf3d|C:\Windows\System32\SHELL32.dll+9bad6|C:\Windows\System32\SHELL32.dll+d9be1|C:\Windows\System32\SHELL32.dll+c0bbe|C:\Windows\System32\SHELL32.dll+18d1bc|C:\Windows\System32\SHELL32.dll+18cf13|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.598{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\OIK\Temporary0\PService_PPD.exe" C:\OIK\Temporary0\ATTACKRANGE\Administrator{8D845A55-15DE-6260-DFBE-070000000000}0x7bedf2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 11241100x8000000000000000244141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.504{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:28.504{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F54732BF775A53DDC5743126D7AA9C,SHA256=7A12E4763BC54BFA97E6796498652F0C1FC765544B5C2EDD64ABD681BF1560FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.890{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.889{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4C75B2E636B0134B8746A852895BEF,SHA256=293907E80C65EB9B156E20BD75D517481C89386A7FE7EE3717B4E2890354DD49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.889{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000244266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.888{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07E3DDDA4DB7B46CDCF26DE708F3C19B,SHA256=F5469514F47EFDEC59AD611C71F9DB889ED5DAF1AEB5641009F1CAAA61694C69,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.664{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000244264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.664{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.662{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.661{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.515{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.515{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.514{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.513{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.512{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.511{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.511{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.511{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.505{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000244252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.504{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.504{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.504{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.503{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000244231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.502{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.501{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000244228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.501{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000244227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.501{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000244226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.501{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.501{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000244224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.501{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.500{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.500{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000244221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.499{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.499{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.498{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.498{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.498{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000244216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.497{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.497{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.497{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.497{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.497{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.497{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:29.496{8D845A55-24BD-6260-EF02-000000004402}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000244385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.999{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000244384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.997{8D845A55-24BE-6260-F102-000000004402}60486056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.997{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.996{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.856{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.856{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.855{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.854{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.853{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.853{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.852{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.852{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.852{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.846{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.845{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.844{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.844{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.844{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.844{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.844{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.844{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000244357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.843{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.843{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.843{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.843{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.842{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.842{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.842{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.842{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.841{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.841{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.841{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.841{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000244345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.840{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.840{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.839{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.839{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.839{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000244340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.838{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.838{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.838{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.838{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.838{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.838{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.837{8D845A55-24BE-6260-F102-000000004402}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000244333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.683{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.680{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A1C6E98EEBC0C002F93D4612951424,SHA256=ED7161E9263C219840CCD04100E8A7320431F5B75C2794AA4EC6A15E68A19000,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.410{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.409{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D444113CCF9B59340DE6087D46DE68E0,SHA256=79234CF732B9492AA52C1662DA027E34A8AB8D304BC3CCA3B12F61B1A1B26C19,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.353{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000244328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.353{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.351{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.351{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000244325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.275{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.275{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.275{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.271{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.271{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.271{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.271{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.192{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.191{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.191{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.189{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.188{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.187{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.187{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.187{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.181{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.180{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.180{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.180{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.180{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.179{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.179{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.179{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.179{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.179{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.178{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.177{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.177{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.177{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.177{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000244285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.177{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.177{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.177{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000244282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.176{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.176{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.176{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.175{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000244278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.175{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.175{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000244276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.175{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.174{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.174{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.174{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.174{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.173{8D845A55-24BE-6260-F002-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000244270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.047{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2D0E0BFCFB2CFB9DD3DDB83BFB940BB0,SHA256=C31638282A1FDA1CAC820805D878E9FD9ED6F7E131913637088AA1238EF1FAFF,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.877{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000244440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.876{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000244439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.875{8D845A55-24BF-6260-F202-000000004402}44804332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.875{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.875{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.726{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.726{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.725{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.724{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.723{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.723{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.723{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.722{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.716{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.716{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.716{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.715{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.715{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.715{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.715{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.715{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.714{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.713{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.712{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000244401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.712{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.711{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.711{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.710{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.710{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000244396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.710{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.710{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.709{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.709{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.709{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.709{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.709{8D845A55-24BF-6260-F202-000000004402}4480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000244389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.708{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:31.707{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3238BEDE38B39738A74F5D31A389E9C2,SHA256=03DF867811EDB0EB6DD2A22BFB5C6D577152ADB9FDEDFA4F8C6B80808965235A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.728{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56237-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000244386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:27.728{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56237-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000244497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.749{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.748{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2211FB30A829EBB8D99B26C0E98EBE2C,SHA256=22E0BD5BA46D74FF32F994F178F430435D3BE61868E322F18228CF8875BDE064,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.728{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.728{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43CAFACEA57E22952B5442093DD311A,SHA256=0E95A14BB25AFF39A70C6B44003C602D2B989D714B81A3C12A66FE692C861399,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.518{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000244492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.517{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000244491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.516{8D845A55-24C0-6260-F302-000000004402}46644948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.516{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.515{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.356{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.356{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.355{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.355{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.353{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.352{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.352{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.352{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.343{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.342{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.342{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.342{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.342{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.341{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.341{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.341{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.341{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.341{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.341{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.341{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.340{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.339{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.339{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.339{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.339{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.339{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.339{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000244453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.338{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.337{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.337{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.337{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.336{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000244448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.336{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.335{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.335{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.335{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.335{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.335{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:32.334{8D845A55-24C0-6260-F302-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000244612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.864{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.864{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CEAA8B4CDD6241A7C32CC81E2ECE4F,SHA256=EC5E05991DE9D5440451AA8225907931409E6EB6B98DAA19EF5FB56C0E76D194,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.861{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.861{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54959123FACBA0247EB8A0D1F19334A,SHA256=C3042BC6AD07B9B5A86F5540009310C4A3F8D0BD785A92F52078E79E64AFFD95,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.842{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000244607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.841{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.839{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.839{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.684{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.684{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.684{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.683{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.681{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.681{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.681{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.674{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.674{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.674{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.673{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.673{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.673{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.673{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000244590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.673{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.673{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.673{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.672{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.671{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.671{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.671{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.671{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.670{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000244572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.670{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.670{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.669{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.669{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000244568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.669{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.668{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.667{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.667{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.667{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000244563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.666{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.666{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.666{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.666{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.666{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.665{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.666{8D845A55-24C1-6260-F502-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000244556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.623{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000244555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.623{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000244554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.623{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3b3f0d.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.622{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3b3f0d.TMP2022-04-20 15:20:33.621 11241100x8000000000000000244552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.618{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q6CV8RKQWR8HRIJRZEWR.temp2022-04-20 15:20:33.617 354300x8000000000000000244551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:30.516{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56238-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000244550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.181{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000244549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.180{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000244548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.178{8D845A55-24C1-6260-F402-000000004402}55362144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.172{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.172{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.018{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.018{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.017{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.017{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.015{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.015{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.014{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.014{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.008{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.008{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.007{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.007{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.007{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.007{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.007{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.006{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.006{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.006{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.006{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.006{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.006{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.006{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.005{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.004{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.004{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.004{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.004{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000244510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.004{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000244509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.003{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.003{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.002{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.002{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.002{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000244504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.002{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.001{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.001{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.001{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.001{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.001{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:33.000{8D845A55-24C1-6260-F402-000000004402}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000244614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:34.868{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:34.867{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12953B2B400EACBAC224D2BC6786D5FB,SHA256=A934DAF8FDEC54AA51A63E27DCA2BB3B5166D86739D8A7A41BD515F7B8404411,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.973{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.972{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43A68C13D391B185F225E8A6EEF9A24,SHA256=C16C50706C1203EEE9443B791210A5C46630C744BB87AB8451828596459BA301,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000244621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.561{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.560{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.560{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.553{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.553{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.553{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.553{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000244625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:37.082{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:37.082{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8C529B4877F3D43E1CBDF8634DAA77,SHA256=660BC0DCD14BD250064125FA9FE6F7E83706AB23C2EA05FA95DC5ABF6B35934E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000244635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.742{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.741{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.741{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.738{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.738{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.737{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.737{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000244628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:35.568{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56239-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.186{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:38.185{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D84D149E28D2EAC136CCD3D566B731,SHA256=B1F775CD8207BB52EDE1D94C5D67697C1A4ED86DE35A5AE0C9C0A7FF1FB94E03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:39.292{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:39.292{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89FC2DFD0C128BADACFA2ECD97C02FC,SHA256=FD80B1D9089AD3F6203FA06D341E05059D4AD652598589585587E2B550695AAC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:40.299{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:40.299{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4313B67F3AF23B6AD90D23611937E5,SHA256=C5AF9E03E989089144AD7E49A6D2464854A96D90EA576EC4DE4E90BF04D2B359,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000244648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.973{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bbfd5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.972{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bbeee|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.972{8D845A55-15DF-6260-9400-000000004402}43242468C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0E02-000000004402}5068C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bbeb7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13be8f|C:\Windows\System32\windows.storage.dll+13ac1b|C:\Windows\System32\windows.storage.dll+13913f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.969{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb0af|C:\Windows\System32\SHELL32.dll+bc660|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.969{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+10ac30|C:\Windows\System32\SHELL32.dll+bc61c|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.969{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+bb304|C:\Windows\System32\SHELL32.dll+bc5f0|C:\Windows\System32\TwinUI.dll+100981|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.969{8D845A55-15DF-6260-9400-000000004402}4324372C:\Windows\Explorer.EXE{8D845A55-1E5C-6260-0F02-000000004402}3144C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+1007b9|C:\Windows\System32\TwinUI.dll+1011ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000244641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.403{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:41.403{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724BBBB69D7D1FBCE6298F4547FCAA09,SHA256=F559DF6C7C87FE66605665912208F2BA9DA40FA52351F116C2C670AA5CD52488,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:42.511{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:42.510{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E922455A6A29B7477436AE8CF3AA973,SHA256=FE6763E3D24EC44C546BD985A81DB049344508BE0ED5B7FC88CD4C18BE0C5C6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:43.615{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:43.615{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C17AE1AD4081C32FA4EAC915596B094,SHA256=CCD3B3DC475E163F9BCCED23302189E9C319547C447853B990A5D091F8D1CD06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:40.609{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56240-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:44.720{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:44.719{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC87C041ACCA57DA1559F383C12C7D7B,SHA256=BBB1DDCC6FB9E12F757DFDE2C779DE244D09DDAA388FD6CD4CDD6D4D37430D25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:45.824{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:45.823{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210038CBD44F4AE2C2504FEE3C4A1642,SHA256=40C3ED7152E8119EA447DB06C864AD29A3D83301FA1689CCD7B29C1AF1DD5F74,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:46.827{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:46.827{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E064E9239B70B39687C686D87ECA306,SHA256=9364BDC447E7251B74CD97CB198458FBDE77828FC9CF7E2DBBDBC8D94F98D14E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:47.936{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:47.936{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D4D27B71AC28EB652B72D84C27F969,SHA256=21857976606FA7B8CC19D6E98F0A18461590B76129EBC381549B53DF565162C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:47.785{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000244660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:47.785{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=25405A84500A55ECF2D83037732A33C7,SHA256=115C909006367D0717FA8FF5244E81E80401F42AE3222D0BF73BC19759360529,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:45.632{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56241-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:49.040{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:49.040{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B417071465F4F6093DF9A46032456E,SHA256=C27AD7977D7A6409FF1B2AEE0CE1CCA44CA76A0FD10034806C446BC80BD441F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:50.147{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:50.146{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D447BC63605E21F4C51CDA2B2789CD96,SHA256=68CD360A0610DC44CBD7C15775A3C6CFE041667FD27F44F9065A2E1250C336E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000244673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:51.959{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-062MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:51.957{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0622022-04-20 15:20:51.957 11241100x8000000000000000244671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:51.956{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0632022-04-20 15:20:51.956 11241100x8000000000000000244670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:51.254{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:51.254{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF240CB06F9CC4CF382E1DE84F1E853,SHA256=E463F8AB0C6C3A49A3335A10DB6751431072B63A8AAC583A03E54E2491C983D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000244676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:52.962{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:52.360{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:52.359{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95AE580924588F064E2E7006670819A2,SHA256=B36AD915780BC33BE29CEE13153EFCF16F166F4B2A6EB43B5ECFA0CBF1FFB1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:50.656{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56242-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:53.466{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:53.465{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385DD783637FB06A180E00276853905C,SHA256=1EFDA59B8AB9F456EFCF589F3D84133C44BDB15B4693D8D7F423B07D365E6CEE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:54.569{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:54.569{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDED5FC6B78AF01814414784BD52E8C,SHA256=6400CF22D9E5034AD56031E437A9E0544B33C812D0ECBE394AEE3E68236AF17C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:55.674{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:55.674{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC0264D7F03CD22C19D27E6EC36AD3B,SHA256=931DD048143907131A57EEB94EB8419063DA5A354461A37F931F895A9095CA4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:56.681{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:56.680{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD53419BB81FC30BC9E799BAEE8D7C8,SHA256=548E4D3D6C7E92AD2AC1C224EFE3E716E47119843B00CAA94F65987625126C04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:56.086{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:20:56.086 11241100x8000000000000000244688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:57.686{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:57.685{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF66E998C698DDD4BDBF8378847B1DD,SHA256=012B33BBE9A3EDEE2CB2F119A6CB0C376BF08205C9D4FACA6B3279F85B1AF754,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:58.692{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:58.692{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6A6C9645BB4C485683485C22A9D780,SHA256=FE9A4CC191A65DA263FB008D7CE4618D21C0214518DEEA12220616737F2A3071,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:59.699{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:59.699{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9FBF4C54E57A942D33274A843F6BA1,SHA256=847836471186007AAC054AF84D1F67A42DEED9307A8B224F3300BCC28EABD947,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:59.277{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000244692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:59.277{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EA5F46ACEC57E236F3451FFB9C5374BE,SHA256=86AA29A3ADCB985922C164174651B9AC980F26678E3931344DFAFA226499FFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000244691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:59.264{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=63E14849F352D02C6B2D3056E39F78FD,SHA256=C14ED6E0C6082E63EAD911D929B4FEE55475E41EE1CE476BDE12538F9DE30445,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.804{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.804{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D783A630337C641B57F7F675651121,SHA256=125CDC88D9CCC6521DA2DB50AD6023A7D11E5D7D464C90D04C863D633A5802C3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000244703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.572{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4,IMPHASH=3BCAD7DA03A0242A2A34491F77EA8067trueMicrosoft WindowsValid 534500x8000000000000000244702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.534{8D845A55-24BC-6260-EE02-000000004402}172C:\Windows\System32\conhost.exe 534500x8000000000000000244701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.532{8D845A55-24B5-6260-EC02-000000004402}5960C:\Windows\System32\conhost.exe 534500x8000000000000000244700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.531{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe 10341000x8000000000000000244699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.530{8D845A55-24A2-6260-EA02-000000004402}44042704C:\OIK\Temporary0\industroyer2.exe{8D845A55-24BC-6260-ED02-000000004402}4104C:\OIK\Temporary0\PService_PPD.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\OIK\Temporary0\industroyer2.exe+774d|C:\OIK\Temporary0\industroyer2.exe+4f9b|C:\OIK\Temporary0\industroyer2.exe+513a|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 534500x8000000000000000244698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.528{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe 10341000x8000000000000000244697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:00.528{8D845A55-24A2-6260-EA02-000000004402}44042704C:\OIK\Temporary0\industroyer2.exe{8D845A55-24B5-6260-EB02-000000004402}5824C:\OIK\Temporary0\PServiceControl.exe0x1C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\OIK\Temporary0\industroyer2.exe+774d|C:\OIK\Temporary0\industroyer2.exe+4f9b|C:\OIK\Temporary0\industroyer2.exe+513a|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 354300x8000000000000000244696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:20:56.512{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56243-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:01.911{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:01.911{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983020ED285EB8F348797F558658C43F,SHA256=F415B0C9193FE7FF8933CDECE20151C87A4A1DC6FE78844A2FBC73DBF6BBFF73,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000244709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.localInvDBSetValue2022-04-20 15:21:02.532{8D845A55-159D-6260-1000-000000004402}340C:\Windows\System32\svchost.exeHKU\S-1-5-21-3969656166-2769217111-789616835-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\OIK\Temporary0\PService_PPD.exeBinary Data 13241300x8000000000000000244708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.localInvDBSetValue2022-04-20 15:21:02.529{8D845A55-159D-6260-1000-000000004402}340C:\Windows\System32\svchost.exeHKU\S-1-5-21-3969656166-2769217111-789616835-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\OIK\Temporary0\PServiceControl.exeBinary Data 11241100x8000000000000000244713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:03.360{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000244712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:03.360{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:03.016{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:03.016{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2D36FC73E4B0853E17BF7382698331,SHA256=50308E66203E9E7EAF5A403E224ECB42144C0D301E00B70872D7C0F228186E05,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:04.120{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:04.119{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6E5581402B449B4251A9159C56150F,SHA256=428464721B86606B02C95D75F29FA3E1E7596F3987794A06AF5D4326A2D5A0B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:01.767{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56248-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000244718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:01.640{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56247-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:05.224{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:05.223{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D82BFA7A451633C74C6D5AFC91B109,SHA256=4CDA7D9FB9DBA375C70823805756D4E70F560B178AC69C01938BE14FD5B2DDC5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:06.328{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:06.328{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CEDCCD0A60BAFB05F85BFF6AE7BA8D,SHA256=A50A12FBFFFF7B4DD7910862450F63868EE8CE81A486D75292502A2656520C9C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:07.431{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:07.431{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4CAE9F843D2BC76F6BCC45C6945AFA,SHA256=0685798078C1963255C7BB3EF2B7960E3729A96A51A345CBE7F3F3FF3FEBA43A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:08.535{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:08.535{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D777BBB89325AA203E8B9E079566D9,SHA256=AC74CEB862F80998F488317A2250762C7788FCD437F0CE9FAE2A279850F2F985,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:09.638{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:09.637{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EE5B781BCD36273842DDD2BA9B16D4,SHA256=FAB97E2806B9C625224BF783983008172C0A441D234BF415EC96FFCF03B5B561,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:10.641{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:10.641{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE5A9597479B6863CC5EE28E027F936,SHA256=925BCD2A5C354278923E2B65564D80337C86BBC4AFE39B08D4E4F0B95A234580,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000244733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:21:11.882{8D845A55-159D-6260-1200-000000004402}504C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d854ca-0x449ee8b6) 11241100x8000000000000000244732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:11.745{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:11.745{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F262C6580639198987340205C175BF24,SHA256=BE3727ECF84E887B1B09CEFDA955DB89ACECE61E583BAEC9A1CBF28562BB46D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:07.599{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56249-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:12.850{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:12.849{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BC73D74461B91890CD284F825857E7,SHA256=9DE2659218D43C34328218FC9FF493B2EB78EF5C4A73AE4071AFDDBCC0813687,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:13.952{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:13.952{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944603ADC7EC712F3B7F7DFA2F07628F,SHA256=1A195C92F0C9AAF496F8B90DDA83C6BF1C1C6BA31C7E18105BD6C9E5D3E14736,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:10.268{8D845A55-159D-6260-1200-000000004402}504C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local123ntpfalse168.61.215.74-123ntp 534500x8000000000000000244741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:15.637{8D845A55-24A2-6260-EA02-000000004402}4404C:\OIK\Temporary0\industroyer2.exe 11241100x8000000000000000244740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:15.057{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:15.056{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7A6E2B6E38C3CF54B0E18E4C40E485,SHA256=BA17716BB5E1E9E58AA927511BF0C05938C45D53619AFDEBD56862884FA0B3F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:13.584{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56250-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:16.060{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:16.060{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA047C0872F18B50326735D48180580,SHA256=CE3EC6823E4A6417F009ABDE281F5B42B4EDBDFD95CD016F445AE0063DC28C35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:17.065{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:17.065{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC81EC5CBF78E7E78106DF787140295,SHA256=FA799E20A2998FA2E6A02522E9F52BA90F2E8B1040DC106C755CFCE1361F369A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:18.168{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:18.168{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE225473C44952AD06AE9DE85B98B53,SHA256=ACA8653FF9C490AB27EF70806007B3F7D0A751433D43873E0719ED6C38FB706F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:19.275{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:19.274{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C1E7063872D1C89001034FEAE68CF0,SHA256=108EE929AEC83190E50F4F275649AA610718A92AD9712200BFEACD3361494594,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:20.278{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:20.278{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC888A8F8FFA96A5650256A6CA79C2F3,SHA256=0DE331CA714EA660FB25C04906FAD75F498F9E7F753F2651033757AAA280E52F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:21.282{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:21.281{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1F873213E3A95A18B86D9ED9470655,SHA256=F7E050E260A2733CC1AA5F2407948333518CCECB6E0A3FCA3585D0AEECDD8FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:19.523{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56251-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:22.386{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:22.385{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EE75CFAF668F43EE1180C82657BE6D,SHA256=A1EA9398D204752F174E7BB75ADBB4FC8D394D9BC6D8CCB0C0D58DB68C037BE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:23.489{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:23.489{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912B66DB9C583F294B9E6259CADBAD2B,SHA256=7F761BB230D54F794DF2E87EEACBB07C663552BA8068FDE13FC168ABC09379C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:24.592{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:24.591{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864F8C8D3C260391F467E743327F662E,SHA256=8A6EFF706E4B310AB066D589FF53C5B55BE41DEC43308CEF9B7C7AD03C7C5966,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:25.604{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:25.604{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C0C524E51FDC8EA064AAB0D2038E7,SHA256=72AA2841E9CECD84D83E5E09C2591FE9BBACE07999C621DB4F501552BDB679EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:26.707{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:26.707{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC16B9776C5A64BE79564A49EC64DD6,SHA256=189BA77546BF9F024B3524BA30B5171EE4A764E6FE25B266D1DACF2E087EC7E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:26.098{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:21:26.098 11241100x8000000000000000244768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:27.810{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:27.810{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF2E48CA248DD9A3CF52C0E98857E8D,SHA256=8396F6229215530DB67F576E1CE9DA3671D9209D3D3C5209256A729DAA0B3915,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000244771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:28.916{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:28.915{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2CFDA37254B32C42D01B285C05B7E1,SHA256=509D763B2364FE18426DA1DCCD8CDF9121AC8004A27642E2633DF43DC83DED7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000244769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:24.638{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56252-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000244830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.885{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000244829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.885{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=4F0854CA83D5ED7E2DF48629E4199C83,SHA256=19498585EAEF70262CABE178C27970A25C02CDCEE452C88E7AC54A20681467B3,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.683{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000244827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.682{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.680{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.679{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.526{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.525{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.525{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.524{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.523{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.522{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.522{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.522{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.515{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000244815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.513{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.512{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.512{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.512{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.512{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.512{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.512{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.511{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000244795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000244791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000244790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.510{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000244789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.509{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.508{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000244787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.508{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.508{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.508{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000244784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.507{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.506{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.506{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.506{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.506{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000244779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.506{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.505{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.505{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.505{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.505{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.505{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.504{8D845A55-24F9-6260-F602-000000004402}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000244772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:29.481{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E83F817C256C95D5104818331E52706C,SHA256=672761DE506181E8AEFFB9D2F1B502C4A4DD567050989968E3EF66A18621B4C4,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.758{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000244941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.756{8D845A55-24FA-6260-F802-000000004402}16244948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.756{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.755{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000244938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.726{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.725{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A341FD48651DD0C1D8CF82F586205B,SHA256=7FFA91D9E5335769DCDA59B26E1A4205962E5C84DBE4AA5153DD6E615CAB2FEA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000244936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.609{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.609{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.608{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.608{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.606{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.605{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.605{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.605{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.604{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.598{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.598{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.598{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.598{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.598{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.598{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.597{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.597{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.597{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.597{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.597{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.597{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.597{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000244912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.595{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.593{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.593{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.593{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.593{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.593{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000244900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.591{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.591{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.591{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000244897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.590{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.590{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.590{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000244894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.590{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.590{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000244892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.589{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.588{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.588{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.588{8D845A55-24FA-6260-F802-000000004402}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000244888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:27.729{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56253-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000244887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:27.729{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56253-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000244886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.339{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000244885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.339{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=491F0621BB4BAE633CD795075829E0F6,SHA256=B8315F4C7BEB70FCA83FC2C478EA5D28E12FEA8410C5DEEB850B2FC6C3AE6BAC,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.234{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000244883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.233{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000244882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.232{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.231{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.092{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.092{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.092{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.090{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.089{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.088{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.088{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.087{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.081{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.080{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.077{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.077{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.077{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.077{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.077{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.076{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.075{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.075{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.075{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.075{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.074{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.073{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.073{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.073{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.073{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.073{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.073{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000244845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.073{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000244844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.072{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.071{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.071{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.071{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.071{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000244839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.070{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.070{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.070{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.070{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.070{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.069{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.070{8D845A55-24FA-6260-F702-000000004402}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000244832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.069{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.069{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D5E5A5B535D978D5A6B2F61D597020,SHA256=30683EE5D4FA0CE88647DB7B798D983CEB93A0576D75EE6791DF467A45D626D2,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000244996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.879{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000244995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.877{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000244994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.877{8D845A55-24FB-6260-F902-000000004402}21444880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.877{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000244992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.876{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000244991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.733{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000244990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.732{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000244989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.732{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000244988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.731{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000244987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.729{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000244986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.729{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000244985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.729{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000244984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.728{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000244983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.722{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000244982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.722{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000244981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.722{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000244980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.721{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000244979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.721{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000244978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.721{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000244977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.720{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000244976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.720{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000244975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.720{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000244974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.720{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000244973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.720{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.720{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000244971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.720{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000244970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000244969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000244968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000244967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000244966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000244965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000244964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000244963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000244962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000244961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000244960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000244959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.719{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000244958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.718{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000244957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.718{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000244956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.717{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000244955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.717{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000244954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.716{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000244953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.716{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000244952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.716{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000244951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.715{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.715{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.715{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.715{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.715{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.715{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.715{8D845A55-24FB-6260-F902-000000004402}2144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000244944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.245{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000244943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:31.244{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FDE5AA0AEDD907BC28B8101ABCF11E,SHA256=F64BBCD567DFCA6A443FAFC8A9B0F9B9D973C0F57137884BAD6A96E2CA70DB79,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000245098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.928{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.927{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.927{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.926{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.925{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.924{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.924{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.924{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.918{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.918{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.917{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.917{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.917{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.917{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.917{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.917{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.916{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.915{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.914{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000245063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.914{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000245062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.913{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.913{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.913{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.912{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.912{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000245057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.912{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.912{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.912{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.911{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.911{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.911{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.910{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000245050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.777{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.776{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFA6B9C684B0E4B94531A19B365676C,SHA256=21BA28BEB1E29A21F1C9C06FB5BC2069D085D1264C30107C311DEAC810950696,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000245048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.553{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000245047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.552{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000245046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.551{8D845A55-24FC-6260-FA02-000000004402}53444440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.551{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.550{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.399{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.399{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.398{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.397{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.396{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.396{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.395{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.395{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.388{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.387{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.387{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.387{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.387{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.386{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.385{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.384{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.384{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.384{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.384{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.384{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000245008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.383{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.382{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.382{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.381{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.381{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000245003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.380{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.380{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.380{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.380{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000244999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.380{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000244998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.380{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000244997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:32.380{8D845A55-24FC-6260-FA02-000000004402}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000245159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.750{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000245158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.749{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000245157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.747{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.747{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.584{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.583{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.583{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.582{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.581{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.580{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.580{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.574{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.573{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.573{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.573{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.573{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000245141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.572{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.571{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.571{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.571{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.571{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.571{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.571{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.571{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.570{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.570{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.570{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.570{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000245123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.569{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.569{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.569{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.569{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000245119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.566{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.565{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.565{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.565{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.565{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000245114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.564{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.564{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.564{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.564{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.564{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.563{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.563{8D845A55-24FD-6260-FC02-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000245107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.562{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.562{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47AA30C1E94DB11AF97A47EB7A7ADB8,SHA256=DED5B3B8435D59838B1650A7AD3CCAB73459C8B0D61CA30078866C7427DC11A5,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000245105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.080{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000245104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.078{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000245103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.078{8D845A55-24FC-6260-FB02-000000004402}51122456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.071{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.070{8D845A55-24FC-6260-FB02-000000004402}5112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000245100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.047{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:33.047{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924CED27A46FF26550E526F4B38EA166,SHA256=F7FBAF5A9B7C70F9D898E384811F91D36AA6C73EBB6B68C2E96363040E7C7725,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:34.895{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:34.895{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=97028B3CDB3FDD90CB34FC96CECB5C24,SHA256=17FEB7E317406260A6E68A6501110D2467666E4C908AC1044790AFE3EDAF46F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:30.632{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56254-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:35.972{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:35.972{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82401D5609C4769A5DD839B3674C8888,SHA256=B8EC240E95E6C6AAF61A12E0EC0F8515D14FF4E38440846C6B6DD0E74993E358,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:35.099{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:35.099{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EDD3F5832ABAD5FAF750E5FAE4835D,SHA256=51FFFDEFE5648A3843574FF7C1C9B93A17599CC11A66829C028E723DA1723FA9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:37.077{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:37.077{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5987892909FD3EAE13E2E40357118B,SHA256=6FD26B39B79D5680BB62BADBCBCFE3F6E2E75120553CEB7FF9197C38ABFD7305,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:38.184{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:38.183{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17ECDD8560776E0F79F02E0D4B1254B7,SHA256=AFAB86A81256DF9CE238F05B1114F87744172D425E0CD1F1838086E27940F2F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:36.457{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56255-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:39.287{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:39.287{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7911306F130DD6C389B7B1FB70A6ADD2,SHA256=E215C20C63A6157D47778F4B8E9F2B51544DA25D6F03CB5CA9459DCFD9F64F29,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:40.296{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:40.296{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4636CEC88D27E8F9BADA77D08C8B3D70,SHA256=D3A0547908D08D957066C4DCB2B447D6FE0B70F787F0A204BC9EDBCC021B5118,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:41.301{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:41.301{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71CD6E1FD74C0531537AB68E2CEEE5D2,SHA256=26516CF12AFDC2BF7B6E134CF8C9BD20956C12914313ECF3D4FF7423F63A4C79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:42.404{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:42.404{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2051B510E44B5E23144B62B8F1ED57,SHA256=DC4285A7B673C86DF4B19CD81FE508AB07B11AD12F678D6FC2706EBA1CB036F8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:43.507{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:43.506{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107B8B5EC89B01E72957586A710DE62A,SHA256=504DB86E805F4817DFE53E721F1182F09A7009CA00340BF272D6C993B4FFA5D7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:44.610{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:44.609{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49D0E718CFF24FE667A194EC43B2360,SHA256=9DA356D267FEEF913C52A39EC1BCFBC2FC3BC143911D22DC85A8E20621F5330D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:41.496{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56256-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:45.614{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:45.613{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964301A533DA74319C1587A01755DC32,SHA256=82BDABF8EFD14E0DCC1223FA418827FA0F352E9E2404038164D988F6CD43C440,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:46.717{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:46.716{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D675969C259995CE0F89A49453BF4431,SHA256=EBE2216FAD045A29A1CE414984E1943C0BF60AC098A0685EBFDCA45E77470FE1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:47.820{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:47.820{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740AA1DB1EEEF4D75222B60D6D5D9062,SHA256=E82B94EACC75B99D54BDDFA0F0639829CFBC938AD3629BCA9C09D83CD90C1F8E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.926{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.926{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CE78DDD6E06003AD05D2C195E7E466,SHA256=97598F8C41438F14F9C70DAA9194A2B32166AB6A228E9FB34C3E8C5C1A1E0FC4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000245197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:21:48.468{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 11241100x8000000000000000245196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.467{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML.TMP2022-04-20 15:21:48.467 13241300x8000000000000000245195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:21:48.465{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Config SourceDWORD (0x00000001) 13241300x8000000000000000245194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:21:48.465{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML 11241100x8000000000000000245193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.464{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML.TMP2022-04-20 15:21:48.464 10341000x8000000000000000245192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.452{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.452{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000245206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:46.893{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local52114- 354300x8000000000000000245205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:46.891{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53400- 354300x8000000000000000245204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:46.877{8D845A55-159D-6260-0D00-000000004402}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56257-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000245203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:46.877{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56257-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 10341000x8000000000000000245202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:49.303{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:49.301{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:49.301{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000245218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:47.720{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56259-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000245217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:47.720{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56259-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000245216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:47.435{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56258-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.391{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000245214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.391{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F0651B4893B275905B2F24B7C0D0636,SHA256=A676545FF83AEB62A79739524CD4ACAB3606EF3E80116BDAC31FFCF2FC2D2BDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.305{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.305{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.131{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.128{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.128{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000245208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.033{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:50.033{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172584C3B1C382378BE01CBFCC631FAE,SHA256=FC7152DBA3E0B856A8CA031896B5B6F1E54B3EB29CFD8003E2DBF6CF646ECBCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.548{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56260-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000245221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:48.548{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56260-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000245220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:51.139{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:51.138{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CC0900CE76004BE7190AA349DE1FFC,SHA256=FC65CBC142D7C4FCF9ED01F45278C9B7B2112A6F0F7DB13122B7008793524330,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:52.244{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:52.243{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F23D8D3273EFEE000C72945B34B8565,SHA256=2A9C4CFB553D66C24395C87353D0239D38B3B1E33646A5C32E71139D2BCEEEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:53.471{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-063MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:53.470{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0632022-04-20 15:21:53.470 11241100x8000000000000000245227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:53.468{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0642022-04-20 15:21:53.468 11241100x8000000000000000245226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:53.348{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:53.347{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7679A1C5DE41038A04C3E3612E6A59,SHA256=16CB6CC68241E47BFBCBCB951B3E784BF0C43C007389282DE7D7D63AB430D4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:54.469{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:54.453{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:54.453{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7EA0AFBB265D16AEC85825F5257D62,SHA256=97EC35A19C66F9CCE4DDCFD55C37AA04A6934D25812209BE38EE2EFB2D12F75B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:54.040{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:54.039{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=82F5AC0013182CC43C7A1A50F8E3AF03,SHA256=F5524D8C04505A73083A5EE0E18F67C7FAD7AB72D4FE04048A9C607D888A2581,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:55.556{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:55.556{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E728238EB870E25F013AF68F063288CF,SHA256=8FCBDAD7327FB824DA1D7D7BA29CD65D34EEE15C1550DA95739754A374375AB4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:56.663{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:56.663{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72EBB899B29F1D6C9228EB18794F7A7,SHA256=8729A06934E4D2EA0E0BF12F7D651B19F34D59566AF4C97E30ACC60C19DB8611,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:53.430{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56261-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:56.089{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:21:56.089 11241100x8000000000000000245242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:57.667{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:57.667{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B83D53D52EC4C06688948617747C9081,SHA256=E3B3B02655817F6B83401C0694E92066F013545C5F289948A194EEFEEC450263,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:58.771{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:58.770{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F0F03A44E196BA0C00BBCE34AFB0B6,SHA256=71782A67EF7BB3D2EB581E9B130159DEC5F24C452267F9102866F23B43373DE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:59.779{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:59.778{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5EE15BF219A8B69EA2750F63960481,SHA256=67995619D8D66927DBAEDFEA7A975F676C05C9A5FBFD7883170092EAD945E340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:59.695{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=32110CA6781E6F89B49EEC5AE984C7A7,SHA256=66E67A2A7F346E401DE97BC16C512C845CD7EF05923E7152E57B1B851EE11BD7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:59.282{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000245247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:59.282{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1CA6D0446B259B9B03818A682E7AFD11,SHA256=697AD6FCA12255B1B24DC59251A47F0041B0641C5C49F935F9E347FAF0B7168B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:59.050{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:59.050{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=91BBBBF78CBB7F5D146766AABA573EFE,SHA256=E9D2C2D9ABA858E7E940A1C9D83A2B59C4AAA14925000653EFF6E3A2B3FFC139,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:00.881{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:00.881{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55AE2BF410811C794B6D08407F92C74,SHA256=E2CB1A2738529794DE28C7233ABF61B32E11BC8F56D558928F9B7824A190A9AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:01.984{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:01.984{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC918C4402E0C1BF55E2E30D7C41A58,SHA256=A3083AA0063537D6E4A8B5F1F14DD67C766C05FBDE41FF8DB7D1F1020C491AED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:21:58.458{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56262-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.377{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000245259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.377{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.089{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.089{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769FF192CD3D2F67F5B860A0C2BEEB1E,SHA256=B1EBC7086CFE3B407E1D658959D0D162B90D91E608E2BBD9B76A175DB7453023,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:01.785{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56263-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000245262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:04.194{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:04.194{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA251208B043F57C8AB92789FD6577F,SHA256=6464B8F7A9BED0636573F95772706D823012A293DAF0E93E16F53CEFD1DF689F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:05.502{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-1596-6260-0100-000000004402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000245267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:05.392{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:05.383{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000245265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:05.299{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:05.299{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959B4845AA8A085697185AA67F60DAA1,SHA256=A780A8729A3C7DF7559EE988D9A4A5CC06FD560DE82CA074F74447322199BFF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.923{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56267-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000245278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.923{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56267-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000245277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.815{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56266-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000245276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.815{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56266-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000245275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.808{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56265-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000245274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.808{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56265-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000245273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:06.439{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000245272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:06.439{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A48CF0C009499151C2E18C48AC9281D2,SHA256=8FA636D07FA962211AFB576BDF72015DC7C46FC439627986F2735E9FD1AABB24,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:06.403{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:06.403{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10734C9196DB2598F291F266C2AED64D,SHA256=2E5ED717DB96CCD8CFCD79117A9BE424CBEDE788378A471DA37376CAA4963D02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:03.515{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56264-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:07.408{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:07.407{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C6BCBED5B34E265FDFA4E106AB7400,SHA256=C9BD87D7CEABF9734FCDE922F90194D326EA0B264B67479D61CC988B4953EAF3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:08.511{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:08.511{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FCAA3392EF99980C44F8F94DF02F5A,SHA256=318265B5502D63D36C26D919A4DA789A6CF6813EB5D1B4E941FD876866E4F20C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:09.613{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:09.613{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466B83B363505DB882C72B82A64401C1,SHA256=CA861E2AB6DEF8DE7A8BB25937F8ACE0A6DC0F9C2B664D8F3566C064D34AE22D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:10.716{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:10.716{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8B95DF2A142A75B98A5335B9604BBF,SHA256=BD8309B3D19ACB67362585E6CB4A9735F49FDD429E5D63E1DCACA7AA46FB9F65,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:11.821{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:11.820{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BF21224FBD7C9CA93FA30DE60A57DC,SHA256=F0FECA0E1799E678B159463BBCB2230343220458EEC00DEE2DD707DD64053C71,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:12.825{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:12.825{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2FEBBDA4EAEEEEBC1F95A2EE456FF0,SHA256=BB16A669274E72E6E8CF244BB9B1ACEAE692FF6B0B1B8E4D0892372ECAAF3CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:08.563{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56268-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:13.828{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:13.827{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC70900ACBFD47E0870598D79BF92948,SHA256=00A60F055B89AC98C3AFAA5243CE5E6B3208A0DAEEA9D4261C5F37680985D8A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:14.933{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:14.932{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5239FF8C2ECA9D52B6BF629FD7C83785,SHA256=BCCF717CCB13333D4D904327F10923717D97631226E435BECF035C537E8ECE4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:15.939{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:15.938{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBAD103596D1C592846BBE77B968B74,SHA256=937237FDAA165FF15B59096EDD420AB66EB2ADA292A2A98D226BD7C61C9B36D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:13.639{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56269-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:17.267{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000245302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:17.267{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=174B20302D8930C431522C08449AABAA,SHA256=77A86562AAE07F19809539912E9E70D08A06F572DC8C1346993CF973D13D1219,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:17.042{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:17.042{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F54DD4052BE1D234458EA6C4D1CC69F,SHA256=2D25EE32C9F416F799D59B92DF8EB2D2F3965C1B5AF11E59B4E49F71A46B92DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:18.146{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:18.146{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49476AA966ECEA8A841F8881073A7ED2,SHA256=5D86598913BD6D0DDB2C3855E30D8984BB650926909F38F537EF08EFEC8AD548,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:19.249{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:19.249{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30E955BB841B570DFBF4E93B7E418C3,SHA256=D0508E15B1D78A55C3D3FE4A547DDAF33556AD9AC9F6FF33394C2B8B878F6F0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:19.100{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:19.099{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=D4C20081083A1C88A87377592C63F96D,SHA256=77546C8E25135D5FD69D2769FDE399DB7FA9415B76DCFF08CA2D638FE9ED3BA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:20.355{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:20.355{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE3FAB3F31546EB6C97E7D5570AE150,SHA256=B82A6B7C12CA1DF6235DEC3A0B6B35A8C814475700CAABA492FC5F900DFC48D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:21.459{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:21.458{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9B8B1766BE9ADD9B1043F082888D0B,SHA256=12628B1C4A74C3720E2C4F605ECE1455657410858E3AA0198F42E30F7CE92D52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:19.452{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56270-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:22.564{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:22.563{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8936909B8E09894C0980EB2891DC9299,SHA256=E2642CAB180B1781227A5D2981AFA5AEE75A51186656ECC6A586F1AA71672E6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:23.669{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:23.669{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB355B8E9BB3AA40E0F892F8578483F8,SHA256=5D97018ABDB7021D558B3E300FD31832D4CC44CD90F47CF97CA1C093D7494ED5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:24.673{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:24.673{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0049A064B50F0554764675963DF320D6,SHA256=D277EB029CD9AADC9EBF998414D5EBC0FEEDCC6505D88DA900571F3404FD69A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:25.779{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:25.778{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D2B42476667B2659FE4504D11689BE,SHA256=08A8555924CA4A91C23576D92D327DA70F8CC4CBFC0305AA5D80EB5FDE5A25AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:26.886{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:26.886{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B287EE595AAB721F52C8F6C98EC3DBFB,SHA256=017699F6769D78CE606B745F87BAB37F39EE45400909450D94C0C08C3A03E2DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:26.087{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:22:26.087 11241100x8000000000000000245327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:27.989{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:27.989{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F2D8B2B4FE84CA86B8DFDC7B54DE50,SHA256=8F1A5DC2AC5844EBEAA6FF492BA5E891BE2CBB992D42AB6F5314AA73116A769B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:24.509{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56271-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000245366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.268{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.268{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.268{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.267{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.266{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.265{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.265{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.265{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.265{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.265{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:28.265{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000245426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.907{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=450C205EDDF7668CCE747BC4984077C8,SHA256=E2F2694E9FFD6016D097A8B8CE85A14BA9DD7F9C6E1EA0CE621924888267E339,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000245425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.700{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000245424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.699{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000245423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.698{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.697{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000245421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.574{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.573{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC1F694C82D0D17FCC0332F3800ED4F,SHA256=A9B2F8AB340345462DDC2F247F72DC707D8A183B7527834FBC80E166459ADD3C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000245419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.526{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.526{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.525{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.525{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.523{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.523{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.523{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.522{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.516{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000245410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.516{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.515{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.515{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.515{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.514{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.514{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.514{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.514{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.514{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.514{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.513{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.512{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000245388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.512{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.512{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000245386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.512{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.512{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000245384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.512{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000245383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.511{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000245382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.511{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.511{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.511{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000245379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.510{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.509{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.509{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.509{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.509{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000245374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.508{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.508{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.508{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.507{8D845A55-2535-6260-FD02-000000004402}5332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000245538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.996{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000245537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.994{8D845A55-2536-6260-FF02-000000004402}10886052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.994{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.994{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.864{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.864{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.863{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.863{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.861{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.861{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.861{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.860{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.860{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 354300x8000000000000000245525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:27.730{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56272-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000245524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:27.730{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56272-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 734700x8000000000000000245523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.853{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.852{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.852{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.852{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.852{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.852{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.852{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.852{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000245508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.851{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.851{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.851{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.851{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.850{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.850{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.850{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.849{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.849{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.849{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.849{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.849{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000245496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.848{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.847{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.847{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.847{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.847{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000245491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.846{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.846{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.846{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.846{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.846{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.846{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.846{8D845A55-2536-6260-FF02-000000004402}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000245484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.600{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.600{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CD8B54A18917F0EA2F9E493C791227,SHA256=A0A463021AA0E02B7CD829BC3A301A6D967C0E933BEA1257734D195DF9EFB51B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.595{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 11241100x8000000000000000245481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.595{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000245480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.595{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70B7D87116B0860C9ABA879EB925410,SHA256=D0C7719E21671574113B9E5662D6F242DE85C680DAF2027736DC5101CB234CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.595{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D2039F94F309C3D65842DCA1619C09E,SHA256=F94E3269234FFE98377EBE51C15D012E8F291D15EECA712CA38B31B535FBFA3C,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000245478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.363{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000245477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.363{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000245476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.361{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.361{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.207{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.207{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.206{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.205{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.204{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.204{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.204{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.203{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.197{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.197{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.196{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.196{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.196{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.196{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.196{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.195{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.192{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.192{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.192{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.190{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.190{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.190{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.190{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.190{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.190{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.189{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.189{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.189{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000245439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.189{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000245438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.188{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.188{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.187{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.187{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.187{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000245433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.187{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.186{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.186{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.186{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.186{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.186{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:30.186{8D845A55-2536-6260-FE02-000000004402}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000245590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.870{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000245589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.869{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000245588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.869{8D845A55-2537-6260-0003-000000004402}34405352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.868{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.868{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.736{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.736{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.735{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.735{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.733{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.733{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.733{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.732{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.726{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.726{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.726{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.726{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.725{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.725{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.725{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.725{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.725{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.725{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.725{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.724{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.723{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.723{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.723{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.723{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.723{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000245550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.722{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.722{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.721{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.721{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.721{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000245545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.720{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.720{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.720{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.720{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.720{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.720{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:31.719{8D845A55-2537-6260-0003-000000004402}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000245649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:29.539{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56273-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.773{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.773{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B10F99EA57C779457BDF126D962F70F,SHA256=E46BF8EE9A8D9DCF6409633263C561C9E35A08E9A8D07970E40B91F66934EBCD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.639{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.639{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D33D37F3DA4A8675D3E55859886DB02,SHA256=3F489B53AD3DAECB5AE0C5C6239B00D62D618B8FC8FC43F599A1B30B72B12FCD,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000245644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.534{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000245643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.532{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000245642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.532{8D845A55-2538-6260-0103-000000004402}28082348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.532{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.531{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.400{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.399{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.399{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.398{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.397{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.397{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.396{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.396{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.390{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.390{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.389{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.389{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.389{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.388{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.388{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.388{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.388{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.388{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.388{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.387{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.386{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.386{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.386{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.386{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.386{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.386{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000245604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.385{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.385{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.384{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.384{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.384{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000245599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.384{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.383{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.383{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.383{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.383{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.383{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.382{8D845A55-2538-6260-0103-000000004402}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000245592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.121{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:32.121{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD65F617A5AD623929820B9B759F9BD,SHA256=510B64090ED6B7EEA7A4316AF6426279ABDD3606236D755037B0D24BF54972E7,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000245763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.875{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000245762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.875{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000245761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.873{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.873{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000245759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.798{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.798{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA86C11AD60EB458D1EE5A01E0BAFE4,SHA256=D2D9C62D1033335CD20FA68D935AA6FE39132E4052F88F57D965F1A8F051530D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.794{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.793{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC69C8D76219123D39F9C93C3F39881,SHA256=6A53E8CE988B09032493C50985CF6B4508C51EC1843F5E3BA1970EDC17BD6639,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000245755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.733{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.732{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.732{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.731{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.730{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.730{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.729{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.723{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.723{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.723{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.723{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.723{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.722{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.722{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000245741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.722{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.722{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.722{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.722{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.722{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.721{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.720{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.720{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.720{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.719{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.719{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000245723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.719{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.719{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.718{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.718{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000245719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.718{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.717{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.716{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.716{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000245715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.716{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.716{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000245713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.715{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.715{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.715{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.715{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.715{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.715{8D845A55-2539-6260-0303-000000004402}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000245707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.626{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000245706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.626{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000245705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.626{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3d13cd.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.624{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3d13cd.TMP2022-04-20 15:22:33.624 11241100x8000000000000000245703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.620{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\72DCBLESQHK33GNBC3F3.temp2022-04-20 15:22:33.620 534500x8000000000000000245702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.224{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000245701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.223{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000245700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.222{8D845A55-2539-6260-0203-000000004402}4404976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.215{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.214{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.068{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.068{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.067{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.067{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.065{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.065{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.065{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.064{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.057{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.057{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.056{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.056{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.056{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.055{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.054{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.053{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.053{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.053{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.053{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000245662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.053{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000245661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.052{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.052{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.051{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000245658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.051{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.051{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000245656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.051{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.051{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000245654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.050{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.050{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.050{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.050{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:33.050{8D845A55-2539-6260-0203-000000004402}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000245768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:34.809{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:34.809{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBE7C10A528483BEDB950E12E8DB7C1,SHA256=7E481A6EAB63EB22C49FFAB6F0784185A747C1C0256785B025E3242BADB671DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:34.743{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:34.742{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=83C0BEABD92DEF80B6898AEAE2C25A1D,SHA256=5FB78DB12C2DE2C856D0949E188FD869A22AECA7E3CD2B1913270C323F7EE9DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:34.610{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000245770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:35.912{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:35.912{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5B73F9D9F2BC73DB8727D8C9B5A101,SHA256=44BA530A11D48167B75CA406C557F75C5560796D2DBBF2BAFC6B7D585B89B394,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:37.016{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:37.016{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1C89BE13D9231B5D36DF2C59CBF28C,SHA256=6369EA2EDED2C9FCF20DD9F61D55B993D18A7706894F85AC6AEF0F162DF5D085,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:38.120{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:38.120{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7E21425FC8FAE8BA9C0500BD3C14AF,SHA256=B554A50D8F3D2C0D707997ACA9642EBD033A8FC5C8E1501B5F4E09B43E8F6E23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:39.753{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:39.752{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=9D2E90FAA009C63496A40E15C4FB0F47,SHA256=A5E912DCB780895571A8621CF26BD0827DD8790F9C5E632E4B3081BF477D4ECA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:39.424{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:39.424{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2051675476DBDD39E8CE96023221A20,SHA256=BFF9877780390D59C86411A3C53E7F6698E6C7D879304C905870904D3B029136,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:35.524{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56274-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:40.529{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:40.528{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA0BF67F99F0DBED4B368B55C5A47C7,SHA256=562C69B4CD94C06635D3F9F921F31D624FB86ABE7A9FB8D1F05F5A09C04659A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:41.632{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:41.632{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE5B893D633E1BD94A4538C48970D15,SHA256=6F184E2CFCFDAD3BF91B615AAC910F83F0C88F466FE32122B780B517028D4D1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:42.736{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:42.736{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FCB1B39952E08E1F064F9D9FA1D49C,SHA256=A6ED6F89CCD6F86D625E9B3E44D484324A9F5598AFC1673BD43F39BF768AA06B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:43.840{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:43.840{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7507D40AB8FE381856A154B10F5D62DB,SHA256=DCA934369C7D98DF4B70147C71192EB362FE1C26922F49AF7151EF2068766BD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:44.943{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:44.943{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54683D86C044C1C03C662FE971701129,SHA256=55702AE8F363C1F17E8711E5CB1AC8AED471CC25725DBB07B1674B78D9756CFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:44.772{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:44.772{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=990D7692928C814C840D911B22ADD062,SHA256=10D93D362EA8F81105B9D76199AFD8C3295B5C32E6ADCA08B970657BF4AC0350,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:40.597{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56275-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:46.046{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:46.046{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF658E91F608558D1A0AACE964B0F34,SHA256=88DD0662E5D6FDC8D24274B0B9F12A6D7CEE48729112BA9E5A328C5EB218548F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:47.149{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:47.149{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C542FB700E66DAB1E9178C9CC535D66,SHA256=8D64900813857989B91D855080F6B6CAC74FECFFE458E67B9DC0A3C07EF3B9FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:48.253{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:48.252{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C0538A8098EB1649887F2615051D4A,SHA256=355135D1B72C5EB16FB697C4E7B16ECAF21B1900B71F3B2D3907C0CD441D069B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:45.659{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56276-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:49.355{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:49.354{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F5CFB0A7C70DFF5919BFBC1F67EB5,SHA256=38EE7EEC6E8825FB81B399B4487A5B033DBDFC6F105D79B738E83B84F2B68DB7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:50.459{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:50.459{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0CACA396F079C9FF785450BE05827C,SHA256=45E2985F0228FA7CDE77E61ECD7779FA25D92577886C052B212527F0C847091B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:51.561{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:51.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F192297F4EBFE3458CBA50096161355,SHA256=AB0BCDD03EB250832803C376213BD8EFA31E5D8C40985529826ABCE90CCF056F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:52.664{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:52.663{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D90438A1CCC35FC12F1EF58B7CAE07,SHA256=CE87DCBD8C1310090CEF7FF1087FB47346DAB07AA2AA0CA2FE871029CBF84193,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:53.668{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:53.667{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36A9D864F112718AA68A928F058272A,SHA256=FAB0F0E861A1B47F24E741C1DB31C2DD154EB39CF16E60D7AB726D25014145E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:54.977{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-064MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:54.976{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0642022-04-20 15:22:54.976 11241100x8000000000000000245813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:54.974{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0652022-04-20 15:22:54.974 11241100x8000000000000000245812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:54.771{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:54.771{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1834B42111DCC51298E7CB384157F423,SHA256=1DE31B7E54CCAD4FC908F209A37554E24906965A726168A071B52647982289E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:51.471{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56277-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000245818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:55.975{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:55.778{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:55.777{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AB884A4B926F6DE76EC60D1109EDF6,SHA256=1EFDA65AB18BF1F5275783CE9535B37DCCEDD87448BFCA1941EB05CD957C8D21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:56.881{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:56.881{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E585FCE394E6F7C1A6B5753E9ED961B,SHA256=D96D51B94E8442F7B71C103D1EECC0F0DB31625B36A44DC2C65F1F8122E583B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:56.100{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:22:56.100 11241100x8000000000000000245823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:57.987{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:57.987{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4259990F0C87E53DBB46D756525B4BF8,SHA256=7A5A8506C89292EB431F7A6D4D7FB6C1E9329C16EB5FE0A6F414506ADD1C429B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:56.521{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56278-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:59.285{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000245827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:59.284{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E306DFEE874FD0D5886666A121111E27,SHA256=12CE82A94EDC131871F50B7AE4C8780F1BC509BF44B7E73E6C448E5EC48B8E71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:59.123{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CD953AA6D5973C91D6C3791B7FC1967A,SHA256=360412B45CC1E187506C1B082DCCA3937C3C2A6C5778D07D53E28596DAC77BD1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:59.093{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:22:59.093{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FEEF2448E8D2AAFAC16A78BCCB86AD,SHA256=99549DC364CF62AC1D5953AF8CB4D6771AED08984BBBBAE57E2FC0D851BC8E45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:00.197{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:00.197{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CFCE74805FE2B278FB3F3AB13100E3,SHA256=4A32C9C86FA3E89884247CA49421AB07113C3A7828E6661B3A846C5FB23ADFBF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:01.302{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:01.301{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27397736DA47E1F2E5912ACE75599DA6,SHA256=6F45873B836BF9A8D0B12278F48F0CF8C98CB494F9D756ADD1D8063396474114,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:02.408{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:02.408{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493D8C090EC2E428FB9E200D8E2984F4,SHA256=F01A0004E4D111BDB943554B1074957A21E2C4DC6964A91EB5DCC93574F1547D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:03.412{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:03.412{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC48724EF9E28D0F4EC136FA2521A25,SHA256=C48D4F2EBF4C63C962A994BB3ADC5BC4B65745A84F0DD002090381D657FE14E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:03.394{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000245836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:03.394{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:04.822{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000245843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:04.820{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=1CD7345BDF91EC987CBD5D6C2BCB56A8,SHA256=978DCEC74B2A272E155A33ED3BAF4DEA31BE9AFCB98F590780F6EAB27D7B4109,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:04.516{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:04.516{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27B57A3B06AA9017790EA89CA100E5B,SHA256=8149A4F49F3EBC9064833490365CEFB24E679416DC582C0AB9FF6442A8D2440F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:01.609{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56279-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:05.620{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:05.619{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9DCF90888058559C4D9674DCDDF263,SHA256=CC48281FB98FDC5D78AB7028EEF557A257B889C874A29F8BEBFDF0394F123B2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:01.801{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56280-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000245849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:06.722{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:06.722{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9714E9AFA76652400B323B04487E9008,SHA256=96155234615AC21009BFD62FBE6E35767B9E21BA11588D3B017CE0CEA711BDAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:07.825{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:07.825{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F9C797DE6CC1E18A194618A088334D,SHA256=6F6E69B2FE606EC57102F9038B743182011E961739AB62A9B20104353DDECE96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:08.931{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:08.931{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC58CCB53303324256432349713243E,SHA256=B7C4E590FF33FFDDD30EAC974808A6139C17B964C948F5841E2B04228A1A1F35,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:10.033{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:10.033{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AFDA7A8CFBCFDA325BFD594498C532,SHA256=5B39832C4CA7EDEF44CFE30C421BD9793F7D54E4F981E03FAE8D3B5B02EC9517,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:07.551{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56281-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:11.136{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:11.136{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D548B1A52095A9FA7AC6CFFDDA80089E,SHA256=0B49C947A8131E1CA93BE506F7A8EF99D9D667BF95801224CDA4B216A50CBD5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:12.240{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:12.240{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18130F71670EA52F902799D3B5CA05DA,SHA256=D35D04395886367ADA6260E2F423C79248BF3D1387565EBF3A38E39C9E5877B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:13.347{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:13.346{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80A71F04C3EB245643251681BBA5CBB,SHA256=B4FCB84C42DCE30B2E4666071B63295C021B4EC2A1CCACDE7315BD6E99E7C4D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:14.351{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:14.351{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B21D2ED8B98C29BE710BE04DF4DB88,SHA256=B1C9A298AABFE0C30D09E3D6169F7C23DAE55DCC00C1DC6FBBFA5E6CD1B8684A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:15.455{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:15.455{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B83B86B4888D5002FDE6212CE005767,SHA256=86D188A0DB7CEA1CE1E7FF1A65930B6C09BB77D7BF0852B69A59796DCE0C06FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:16.459{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:16.459{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BD608EDBF1873BB0A3CA0E1B42433E,SHA256=D1EB46F12768757DC9DE0A353EF9D467486DD84DAF5B745F46ED9B5E3C13A66E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:13.433{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56282-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:17.564{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:17.564{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13552153ABDCCD43D9F74E75CDAF91CE,SHA256=C760E837EECB2318F5DEABFD044A0CAC006A4897B275E733E19245177D9E69A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:18.668{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:18.667{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD57455A8BD2B23C0D1D687DC7C6CDE,SHA256=CC89CEE1721FFF1246CFE802F4D72D9D5AD28C7DD9D1048251575A3B83F194D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:19.690{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:19.689{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85926B61D41297EA77790BBE9B98532,SHA256=A787C00514930A24C8CB0AA69D991A5413DB8F84EA4630DD13361EE7C26ADB87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000245876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:19.466{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:19.465{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:19.465{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000245880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:20.777{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:20.777{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFD493BEE393A7A58231DFCFAC27A72,SHA256=A446879C3F15F4A59807C7B13A07D2E16466D0085571321E755BB0FF8E2759FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:21.882{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:21.882{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68E4994E270552703BB156A00CE40DD,SHA256=C938AEEAAC84F0CA8B6DCD665E0D8D1E54F92646439E86BEE2BC2A64F65C91B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:18.438{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56283-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:22.985{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:22.984{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790C20E8D6EA5A34BB821D8A80432061,SHA256=28CD71E0134D2DD7CC6D5E266BE277942B52E8E004CEC3B41E906B160ECFB59E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:23.988{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:23.987{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7FD2A8CF17B3F377A2619EBF484EE1,SHA256=75A464D4A237D06D1032736839BE5D46B46D401651DADBB3EEFD827E4F11FFAB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:25.092{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:25.092{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E434F1AE021F4E6ECBA8491DC84D04B,SHA256=F4A699EFC557C2BC3F8C758625869A51A4DA1B9DB6BCDB162CEA8E97DC56ADAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000245893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:23.526{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56284-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000245892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:26.197{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:26.196{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE7A804DB9C9A7F479BA6F62BAA1B7B2,SHA256=FC49F6C9F2F66A5DF291A4C809EA62305B444D8DEBA91F1453676AF9D7F4440F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:26.095{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:23:26.095 11241100x8000000000000000245895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:27.201{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:27.200{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A73A510FE8175A66E4CDD8078980AE1,SHA256=CE6AB6664A0DDCB33110939689F3B30794DF4190965F3BE09FF220E08F0964AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000245897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:28.303{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:28.303{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E36CD32901FADD9A392843240B56BED,SHA256=2497E4E8A3393FE1404E58B8D58CC5E91939D29525B10249C7F27B2CBEC74355,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000245956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.672{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000245955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.671{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000245954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.669{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000245953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.668{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000245952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.520{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000245951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.520{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000245950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.519{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000245949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.519{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000245948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.517{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.517{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.516{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.512{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.506{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000245943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.506{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.506{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.506{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.505{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.505{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.505{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.505{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.504{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000245920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.503{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000245918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.502{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000245917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.502{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000245916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.502{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000245915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.502{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.501{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.501{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000245912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.501{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.500{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.500{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.499{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.499{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000245907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.499{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.499{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.498{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.498{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.498{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.498{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.498{8D845A55-2571-6260-0403-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000245900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.406{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000245899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.405{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706E1289420F01040F188A5BA3834DB8,SHA256=196E9390013C6BA88112842DB096B6B285C2D4DDDBDFAB83EB12677109D1319D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000245898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:29.384{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DD29AF0497767D6C6286DD8A676D1BC7,SHA256=00A15890789E4D6CD82CDEC53179F0E0C3C1142DFE016B06B8B39E9DC4E21EF5,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000246068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.915{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000246067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.913{8D845A55-2572-6260-0603-000000004402}60045508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.913{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.913{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.761{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.760{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.760{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.759{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.757{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.757{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.757{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.756{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.756{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000246055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.750{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.750{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.750{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.749{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.748{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.748{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000246040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.748{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.747{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.747{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.747{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.747{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.746{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.746{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.746{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.746{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.745{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.745{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 11241100x8000000000000000246029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.745{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 734700x8000000000000000246028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.745{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x8000000000000000246027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.744{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F34FAC844DEBD7B8A72F31F5EB46D5,SHA256=6DBDC520546EA13F2B4A17F2F7DC5049CDA811AC57B50DF26B030617E4BE3288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.743{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.742{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.741{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.741{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.740{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000246021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.740{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.740{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.740{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.739{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.739{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.739{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.739{8D845A55-2572-6260-0603-000000004402}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.737{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.737{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D69A27C99A1B7494F2E6BADB3853F16,SHA256=5C62ADA45C49F598475F7832DC93D3CABC563E5F6EF804F382058932A818F58D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.736{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000246011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.736{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B5692C47277DDBDA9614368319E88E,SHA256=257A2D8E379881C3CB00A7A4DDEC2D3678635ADC559EA1EC4FECA820AB7E25F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:27.730{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56285-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000246009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:27.730{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56285-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 534500x8000000000000000246008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.327{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000246007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.327{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000246006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.325{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.325{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.183{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.182{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.182{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.181{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.180{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000245999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.179{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000245998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.179{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000245997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.179{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000245996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.173{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000245995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.172{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000245994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.172{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000245993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.172{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000245992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.171{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000245991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.171{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000245990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.171{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000245989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.171{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000245988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.171{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000245987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.171{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.171{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000245985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.170{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000245984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.170{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000245983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.170{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000245982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.170{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000245981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.170{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000245980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.170{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000245979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.170{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000245978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000245977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000245976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000245975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000245974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000245973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000245972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000245971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000245970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.169{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000245969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.168{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000245968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.167{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000245967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.166{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000245966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.166{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000245965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.165{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000245964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.165{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000245963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.164{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.164{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.163{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.163{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000245959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.163{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000245958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.163{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000245957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:30.162{8D845A55-2572-6260-0503-000000004402}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000246123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.888{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000246122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.887{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000246121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.886{8D845A55-2573-6260-0703-000000004402}57885492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.886{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.886{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000246118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.762{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.761{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B0C8320C4092D683FDFDA74142ACF1,SHA256=F75CD4B4A6E12AB7486745437FC9B69FD9D157B61B742B0F03BBA7AE1A1DE237,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000246116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.741{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.740{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.740{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.739{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.738{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.737{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.737{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.737{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.730{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.730{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.729{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.729{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.729{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.728{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.727{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.726{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.726{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.726{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.726{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000246081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.725{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.725{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.725{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.724{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.724{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000246076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.724{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.723{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.723{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.723{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.723{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.723{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:31.723{8D845A55-2573-6260-0703-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000246069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:28.583{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56286-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.851{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.850{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C528319BCF6616B2AB8688C2761057C5,SHA256=A980317CB4F7872014834A80F9E6FEFE5AB29E28B025858E8B5FE9683F7CC0F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.834{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\SiteSecurityServiceState.txt2022-04-12 13:36:18.842 23542300x8000000000000000246176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.834{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\SiteSecurityServiceState.txtMD5=3554A76951C53A7EF2DE7C5B58D1580F,SHA256=4185E607C2A224E4DBB8161578A37A10F16818AE494D003AEC8275BC1C23E14F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000246175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.528{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000246174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.527{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000246173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.526{8D845A55-2574-6260-0803-000000004402}45243776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.526{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.526{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.395{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.394{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.394{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.394{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.392{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.392{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.392{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.391{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.385{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.385{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.384{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.384{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.384{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.384{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.383{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.383{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.383{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.383{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.383{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.383{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.382{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.381{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.381{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.381{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.381{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.381{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000246135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.380{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.380{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.380{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.379{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.379{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000246130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.379{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.378{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.378{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.378{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.378{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.378{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:32.377{8D845A55-2574-6260-0803-000000004402}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000246292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.751{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000246291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.750{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000246290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.749{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.748{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000246288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.623{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.623{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC2ADFE80024882CC50DBA22B8CBD20,SHA256=41F8AE2B35E96453F1B82AD3B3D5E158298E8A2C01D427378CDB3570353383EF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000246286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.592{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.591{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.590{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.590{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.589{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.588{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.588{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.582{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000246272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.581{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.580{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.579{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.579{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.579{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.579{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.579{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.579{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.578{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000246254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.578{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.577{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.577{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.577{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000246250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.576{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.576{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.576{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.575{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.575{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000246245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.575{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.575{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.574{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.574{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.574{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.574{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.574{8D845A55-2575-6260-0A03-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.441{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.440{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7970F5C619BD889A5259529743A21ACA,SHA256=3BD0BA9F114CF1474BF77BDF6C739701AC0FB4CF0E6FD9599F8203DEDA623BE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.245{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2022-04-20 15:23:33.244 11241100x8000000000000000246235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.244{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2022-04-20 15:23:33.244 11241100x8000000000000000246234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.239{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2022-04-20 15:23:33.238 11241100x8000000000000000246233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.238{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2022-04-20 15:23:33.238 534500x8000000000000000246232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.215{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000246231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.214{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000246230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.214{8D845A55-2575-6260-0903-000000004402}60965760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.206{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.206{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.067{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.066{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.066{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.065{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.063{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.063{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.063{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.062{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.056{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.056{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.055{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.055{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.055{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.054{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.054{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.054{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.054{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.054{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.054{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.053{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.052{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.052{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.052{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.052{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.052{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000246192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.052{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000246191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.051{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.050{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.050{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.050{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.050{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000246186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.049{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.049{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.049{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.049{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.049{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.049{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.049{8D845A55-2575-6260-0903-000000004402}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:34.659{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:34.659{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A6701695E723AAFF8539902624D82B,SHA256=00D69B7D564D2058754EBE90CB949E0E7E0D4CB5C6EE7E956DA13A02CABB4F7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:35.945{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:35.944{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13586075889F91D960A8AAD4487782A4,SHA256=78A9D38215858F4FFDA7856DE1778A0D51E74C692188BE807952D1BF0C82FCE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:33.609{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56287-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:37.048{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:37.047{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00057F5DC95FFFB31052E5D301C3DD5E,SHA256=3D0032F7FF2B476E0734AF2C4C7C6C0C08FB5E40621931A6C616EACFF67F8EC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:38.153{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:38.153{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF1E90D78AC90914A75FEB1DA107BA3,SHA256=B2EADC22BF4A528615D2007A2CFBC956EE434A7DA0C1542E0FCB99238FAB900C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:39.157{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:39.157{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C148B064CE2713DB43C2B16BA419B1,SHA256=DA37D081C40B5717E43A0B89F607FFE14664FC2421820D97DCA8AE7D218153F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:40.260{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:40.260{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E9948992E9C0BFDF9258BE2C8F4B2C,SHA256=4B823BB4B533D0B28C1C7FE8560C1FB68A43F93879F0B3803F1E685C42A8CA81,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:41.365{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:41.365{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDD72EB2E27AD58464DB68EBD132355,SHA256=62B1269DB2F5A23D5E09F1D3293C825293D7CBA844AC2DDD9D6726ACDA548BCE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:42.467{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:42.467{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCE0A4AD733DFA6179C3B9BC4EC539B,SHA256=FA7A858A3A22ADA1DC8A5D66AFFF9C7B79797C067B17C3A3A64BA1E78F684C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:39.606{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56288-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:43.473{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:43.473{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68C51571072B1061E08FE4EDE0E583B,SHA256=0F666199DCEC5D040F8BD66330BDB4EBA77C2BCF7AFC7AE95D67DAEA894FA006,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:44.578{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:44.578{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F850C771E689A96EB5A84057740926EE,SHA256=0736D0FD78422034E083AA2363A92F6DDA87AB08541E68FB77737A1284212A12,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:45.683{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:45.682{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B65CFF607C5418D8FC10723C0B4613F,SHA256=E7F2CEA3639E0F5EB56C6055F6C46F955C92E0A4A721F40DFFFB99898E6DD7FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:45.250{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:45.249{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=86290D1007DF859543C7B709D86EFE49,SHA256=AF01F2AD13892D17A6D5E54D3F7ED522C3D959A040D2B29E1BA6BD114297D315,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:46.787{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:46.787{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1B79607BBC43024D212F27ED70088F,SHA256=5E5E76786729E8E33CAF3687217B215EC03CC2215A79B692322C1170C9C1B00E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:47.894{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:47.893{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95191BD38720B60735EA6F241E0CBE2,SHA256=A8BDF046C0DAB7962B5F48E2CF97E6FC3C7168F4EC553CCA7BA3680E2C60CCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:48.999{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E008F497F65E70C80C41D53A2FB11AE,SHA256=CB6097C80277A172E4D000E65E7ED874595AC34B116AC169874C57331D6EFF7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:44.656{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56289-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:48.999{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 11241100x8000000000000000246327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:50.107{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:50.106{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816F5D616653A1013CF54BE41D71C5C5,SHA256=7388D308B2595E0F0F6541A7675A780D7B4A1983D6798687ED5FE6C15C7796A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:51.113{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:51.112{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDDFC47BE8CEF0DADFE0CE0A8542377,SHA256=36AF533078B45B6C74E774EB84F05F37D0D8C8EF3C98258FD8F16A7DB39D08CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:52.118{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:52.117{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D335C5A7207AFD33AC12E1B8085FA199,SHA256=2A4C3DDCC4D54FCC6ADCC773463190722CDC8361FE23D3A31D862621714D0EAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:53.222{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:53.222{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F279A0F2A2E690E50D570BFF1201F5,SHA256=776B989E6184A14BFF08637BE190C61C33C77D49EF82BA1928F219131D8A1E59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:50.435{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56290-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:54.228{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:54.227{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59025EE74AE1C357A2A309A023C6D9A4,SHA256=6A31B095757981017AD5F61D3F77B6533CF94D377AE5EC0A9B6B50F75903B6F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:55.332{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:55.332{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945DC9B8D58535EBC252FC3D29215044,SHA256=3D7303900A01D379D7C2D70D34D98ACC83CAB0956FD700E0683169DF604C44C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:56.483{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-065MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:56.481{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0652022-04-20 15:23:56.481 11241100x8000000000000000246342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:56.480{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0662022-04-20 15:23:56.480 11241100x8000000000000000246341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:56.437{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:56.437{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEB5DC902E2BD0954207670355ADFBA,SHA256=EF199BCCB2C582929EC7627049CD3B9A6624A1CCF6CC0D6BF69C4037DBFBFFB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:56.101{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:23:56.101 23542300x8000000000000000246347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:57.481{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:57.443{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:57.443{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DCD8E980731CB740849F1ADBEE423D,SHA256=2CF273D6570909EDFCC5BB1913A3D2194046993642BB73A15ACFE2618590E5F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:58.552{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:58.551{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC1DA02409D03C74291560593D6D0D1,SHA256=ADD800727AC438E8D3DCC7148A50AC213B807320F75FD5F81CAED157E9D5B48A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:55.453{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56291-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000246355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:59.584{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F4CBEC92CD96CFB928484DEF5E375F34,SHA256=A707912F8C0B7A864220D7BFC5BBBC918BA3345BA668E7E5DCF02A313C4A34EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:59.556{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:59.555{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED34CF88C74946A8B427A737F4CC730,SHA256=95B220B69BDED39E568299EF70237B65E7CC45805CC10FF683C1BD3C8F1C2570,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:59.288{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000246351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:23:59.287{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=68EAA35801616BB466D343F5BDBCBCD6,SHA256=A35BB6C0B1525C78B58559EFBFD45AFEC74C73B19AAF8DBB5600EFDCBB398221,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:00.562{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:00.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CF5733B03CB45C4882822ADDE088C0,SHA256=74A06E5645BF4A195884B695A6E886F757FE5D3B43147D3F5684A248A3282424,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000246365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000246364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003e65c1) 13241300x8000000000000000246363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c2-0x46f517ea) 13241300x8000000000000000246362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854ca-0xa8b97fea) 13241300x8000000000000000246361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d3-0x0a7de7ea) 13241300x8000000000000000246360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000246359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003e65c1) 13241300x8000000000000000246358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c2-0x46f517ea) 13241300x8000000000000000246357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854ca-0xa8b97fea) 13241300x8000000000000000246356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:24:00.139{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d3-0x0a7de7ea) 11241100x8000000000000000246369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:01.664{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:01.664{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B68D6F9603CC77D9789DF52201868C,SHA256=49947DC84B3D4CBF0310422DBEFC7CF7093A929770FB26CEDF41EE542A40770D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:02.769{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:02.768{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0174EB51C570BA5E2DBE2924EE8B20A7,SHA256=F10DAEBF0323B205DED0BB163BF4717DB20654620B7F8282DC60E67AEF9B1701,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:03.771{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:03.771{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502B277E0732ACBDF27B13CC2AB5E05E,SHA256=9F689B37558B2321F726CDC879E505F59C2EE960A81420DA175937779F9FF197,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:03.411{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000246372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:03.411{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:04.874{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:04.874{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480559C2F1AA54C281B3DB77C43E364F,SHA256=2A8D622AB4F6F0889A54249C1FF5E7985FFC742337F06FF245B411006D1568DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:01.817{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56293-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000246376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:00.556{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56292-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:05.979{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:05.979{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6843659CA263714B6397AEFAB410DC50,SHA256=50CC165204F98F4296378EAB304236C0AC92597453184278F19F62C4F6651BD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:07.082{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:07.082{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D024E4631B0D19066A88A0E8A1F0D14,SHA256=381C615B482264CA4BBE38EEAF0400E015AAC30C23BAD0602460CDF373F30F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:05.591{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56294-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:08.186{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:08.186{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5F37CB9A0EAE6BBF638638F65539C7,SHA256=EC6BEDA21199EDC4A049D46B1045F8951E2041DDABC6E35E30785F9D71392B9A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:09.190{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:09.190{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2311A0A7780398A9FF0EC193A6EF3178,SHA256=6150EB79520208DDADD52984BDF714723A6DC591E5A2712433D615EB8C6834E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:10.294{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:10.293{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC1BB8D635FCF805CE293E3154F02FF2,SHA256=44234E0851B1C837DD36BF1B4143ADED9CBA9A553C18EE485CAA422651017B7F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:11.398{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:11.398{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB39ADD88C200EBFFF574944464E6BD,SHA256=501AFC477330781FBF797B83B4E20A0E7B9D6A8ECE69ACA833B865F6A2F274E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:12.501{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:12.501{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC44F528C417CECA57C71EB5C477D42,SHA256=2E9E27D254DF5299DA7D3E76B96D9ED38E23CD1D32F5802E832B31567AB4D8DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:13.605{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:13.604{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A08B07E72385BBEC09335EF7C2EBDCB,SHA256=0D1BCF0932B5202F0BA5D3B1C2A70B0D8F9197A25F92B558A370B748449EA502,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:14.709{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:14.709{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E791F331808B40BAC235D35E92FB2FC2,SHA256=0680B129B31261A82F5CF69C7A66F2D90D0B2C525CBBC1BC158301C84571232C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:10.667{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56295-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:15.813{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:15.813{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A83242182160E1413A9C4B517CE869F,SHA256=35B04ACF9CD70F64DA6240ED225A8DB9C0AE75681930A8725383A4A1FEFA3C1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:16.919{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:16.919{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9D3EF160D6C29691523264A6883BCB6,SHA256=9A848CA168EF9751212788BCA58DF70DBF024C13D81912EA778DC8FFFA3EF5AD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:18.022{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:18.022{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2CB9549F148761E1B6EE19355BA9C7,SHA256=0DABD9ADDD6EBD5EB049DDB86E4EF6BAB60E17091866D8B201FBF7311C950B7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:16.456{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56296-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:19.129{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:19.129{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D687A72E3ADE904B0BF6EC07981D46FF,SHA256=09BE3A9A578F2807AA65573B22DB00B1360C31A15A820F3CEF90D58B5EFA6483,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:20.233{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:20.233{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9E58AAC198A582B1D288C1B3A73BE7,SHA256=CCB0AF7ACC71EC79A2B1895DC072B5B87F4E24B6E2E0634A663D38241EBCA29A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:21.337{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:21.337{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E6892554AB7E986EBF4AAF00A85377,SHA256=76ECD68D504352533AF989634DE0D8FDA69D9B67A7F931250BCBB5F0A7361C9A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:22.441{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:22.440{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD26E823EE2A368F47989EB4B784CDB9,SHA256=AC2AAF301BC0F9A450152BA15ABB7E5C9A153DCA610BBEE946AC356FC6AA1ECA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:23.545{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:23.545{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C6B2AE0A43934FC03DB1E372E32AA7,SHA256=E77CD846F536B0DDE40C5E71D562249F1C6797DC558D44373BD6945B6AB34F66,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:24.650{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:24.650{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFF6630EA7BBC8AD6721AF0CC1B25BD,SHA256=6C6E85060C57BBA2A6C92F774291A9AC6CC9488E336FAC628245F525997144B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:21.505{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56297-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:25.755{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:25.755{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D512D2AA0809B35589AABBA6E1882273,SHA256=05F313980D574C6B6AEC32AE8181837D36AC9D1D1684A5598CF488D8BD9B13ED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:26.863{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:26.861{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D8B2F79122384C70582A88E2A87374,SHA256=7E0D814A2D5C53735CDC4A5F6CF34E477E351ADAF5B5D3E6CCF94B5947B60DB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:26.088{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:24:26.088 11241100x8000000000000000246426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:27.965{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:27.965{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E529419182BCA30C2AA234A84331AB,SHA256=98F2AA15FA8B10E2B90090519B8B2FC7D2317F93C7C4C4337214F2BA92636E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.790{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E6C7B06BB2DE294CFB026A7EF32BAAC7,SHA256=36DC887AD411E0828F289A95C2472F94447F4DC64F9902614DDD8AD22639D1F5,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000246484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.668{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000246483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.666{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000246482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.664{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.664{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.521{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.520{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.520{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.519{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.517{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.517{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.516{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.516{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.510{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000246471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.510{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.509{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.509{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.509{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.508{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.508{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.508{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.508{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.508{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.507{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000246449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000246446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000246445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.506{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000246444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.505{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000246443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.505{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.505{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.505{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000246440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.504{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.504{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.503{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.503{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.503{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000246435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.503{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.503{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.502{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.502{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.502{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.502{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.501{8D845A55-25AD-6260-0B03-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.069{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:29.069{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A82F4BD11EB9843FBE8729A0DC83341,SHA256=5A56FB8388D156390A3756F1D68DA318A426D2D867ADEBD92EAF24E48B81B076,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000246596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.987{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000246595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.985{8D845A55-25AE-6260-0D03-000000004402}52684480C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.985{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.984{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.852{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.851{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.851{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.850{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.849{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.849{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.848{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.848{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.847{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000246583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.841{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.841{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.841{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.841{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.841{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.840{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.839{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000246568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.839{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.839{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.839{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.838{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.838{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.838{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.838{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.837{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.837{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.837{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.837{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.837{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000246556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.836{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.835{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.835{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.835{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.834{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000246551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.834{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.834{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.833{8D845A55-25AE-6260-0D03-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.587{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.587{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39391887DB5F3B4B14D55A63E010E685,SHA256=75BF5D15DF76071ADC2F721E0A1638CAA79156A918B07F3D077EAC513DC630B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.586{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000246541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.586{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=580B2B9DA512B00F34170A17E7CBB2E3,SHA256=7902C0581E74216D61816C532FABF5EF2D8467528B603BF147C2BD59316B25D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:27.732{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56299-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000246539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:27.732{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56299-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000246538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:27.507{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56298-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000246537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.337{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000246536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.336{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000246535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.334{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.334{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.191{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.191{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.190{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.189{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.184{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.184{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.184{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.183{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.175{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.175{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.175{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.174{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.174{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.174{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.174{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.173{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.173{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.173{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.173{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.173{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.173{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.173{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.172{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.171{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.171{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.171{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.171{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000246498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.171{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000246497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.170{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.170{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.170{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.169{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000246493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.169{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.169{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000246491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.169{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.168{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.168{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.168{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.168{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:30.168{8D845A55-25AE-6260-0C03-000000004402}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000246652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.873{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000246651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.873{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000246650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.873{8D845A55-25AF-6260-0E03-000000004402}46645116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.871{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.871{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.732{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.731{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.731{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.730{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.729{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.728{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.728{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.728{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.722{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.721{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.721{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.721{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.721{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.720{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.720{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.720{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.720{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.720{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.720{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.719{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.718{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.718{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.718{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.718{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.718{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.718{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000246612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.717{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.716{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.716{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.716{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.716{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000246607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.715{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.715{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.715{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.715{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.715{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.715{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.715{8D845A55-25AF-6260-0E03-000000004402}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.245{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.245{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A4317F8B4FC2446D254C57FAF01B6D,SHA256=DEAC58132F1D872E1B1F428AB19854BAC290863F1E10DE37177AA3BEE5BCFA5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.224{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:31.224{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890EAFC5551730CA3416DBAD61A53550,SHA256=83779751FE70F16A1CF4D27419842B10216B751F2AA108EA2A3E4AEFA33F8039,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000246754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.949{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.949{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.948{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.948{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.946{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.946{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.946{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.945{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.940{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.939{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.939{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.939{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.939{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.938{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.938{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.938{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.938{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.938{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.938{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.938{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.937{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.936{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.936{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.936{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.936{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000246721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.936{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.936{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.936{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000246718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.935{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.934{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.934{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.934{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.933{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000246713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.933{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.933{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.933{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.933{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.932{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.932{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.932{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000246706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.425{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000246705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.423{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000246704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.423{8D845A55-25B0-6260-0F03-000000004402}59124784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.423{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.422{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000246701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.283{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.282{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.282{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.281{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.280{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.280{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000246695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.279{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.279{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.273{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.273{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.273{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.272{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.272{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.272{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.272{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000246681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.271{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.270{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.269{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000246666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.269{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.268{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.268{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.267{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.267{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000246661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.267{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.267{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.267{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.266{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.266{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.266{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.266{8D845A55-25B0-6260-0F03-000000004402}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.265{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.265{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB3E69D3D9D555CF6341CE5254825A0,SHA256=987A49175DE8A4847915A1A244B474648341D8BAAA779D0009BA1DCA361B9F68,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000246822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.775{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000246821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.774{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000246820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.772{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.772{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000246818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.632{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000246817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.632{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000246816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.631{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3ee88d.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.630{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF3ee88d.TMP2022-04-20 15:24:33.630 734700x8000000000000000246814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.628{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000246813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.628{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000246812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.627{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000246811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.627{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000246810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.624{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 11241100x8000000000000000246809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.624{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5Z71GSCDSFJ6CJD2HSZ.temp2022-04-20 15:24:33.624 734700x8000000000000000246808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.624{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000246807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.624{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000246806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.617{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000246805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.617{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000246804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.617{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000246803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.617{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000246802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.617{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000246801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000246800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000246799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000246798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000246797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000246796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000246795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000246794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000246793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.616{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000246792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.615{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000246791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.615{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000246790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.615{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000246789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.615{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000246788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.615{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000246787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.615{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000246786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.615{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000246785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.614{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000246784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.614{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000246783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.614{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000246782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.614{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000246781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.613{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000246780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.613{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000246779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.613{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.613{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000246777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.612{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.611{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000246775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.611{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000246774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.610{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000246773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.610{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000246772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.610{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.610{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.610{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.609{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.609{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.609{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.609{8D845A55-25B1-6260-1103-000000004402}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000246765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.326{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.326{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC02B058D7A902730F6107632A628B2A,SHA256=E2AA0144CE53778BF97898F1DFBE3A19BE88E02F8BB62F2CC206B74EF0742BFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.323{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.323{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E0F87D855BCD79C82A0222EE49E454,SHA256=2681190859535437C11F5636F7E511B99B4FC76639FABC33E881D91B8B822AC1,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000246761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.092{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000246760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.091{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000246759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.090{8D845A55-25B0-6260-1003-000000004402}20362892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000246758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.084{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000246757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.081{8D845A55-25B0-6260-1003-000000004402}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000246756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.008{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-pingMD5=9010ED25CBCC5C6441D27D57D6427162,SHA256=595B3AE4E82D4D56182459AA28DAF990EC3BEC21309F639134B7824D355C250F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:33.004{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-ping.tmp2022-04-20 15:24:33.003 11241100x8000000000000000246826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:34.915{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:34.915{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B57CEF40A8A3261AAAA07B2D3F9DE8,SHA256=60782A5FAC7AF4E7A4C7F8360233E22DFE64FB11ACDA24949834329BD919310C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:34.612{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:34.612{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000246829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:32.562{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56300-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:35.651{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:35.650{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1419F64425254A20BB35C375CBD0D723,SHA256=B7B1C8CF059F78B70C87E7041B5EA08B556680359AC432DF423838852AB8D999,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:36.755{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:36.755{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964187D118FFE159F397585A3A045001,SHA256=8D733BBDD86D9C8E0EAAAE199E1E7A8295175CAECB42576B6649D479AB35EEAB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:37.858{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:37.858{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E448BF16C5DF90707DBCF11212EAE22,SHA256=D55C8003BAFE9273637AE5E79706C1A42550C68BF3CB5E866691BF2CCFB0AD1C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:38.863{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:38.863{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44FA844AE6FAB8C366CBDF9FF4FAF54,SHA256=44F9BDDEC12110619AB9DF316A33C1809C24030046E45510F1DA314DC8FD78DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:39.967{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:39.967{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504ED88419BBFA599C5A694682B5E590,SHA256=9310809650016334BFAC8A2C73FADB3B1C0C29A39D35EBA2284B6A74754C4481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:37.592{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56301-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:41.071{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:41.071{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40D0EE826C4D96C72304144A0A013B4,SHA256=48FDFFED0EFEA9332010753615DD8C867647CE36F121397072C1E8434556A0E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:42.175{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:42.175{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E09A7FA1A54B6799EB23FF9CE10531E,SHA256=CC85B559ACFDBB4AECFB84AB80A8D9051E0F15955DFE69BB1C889836DB5B21E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:43.280{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:43.279{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF15032D07A3FBD80A497FCB89C0673,SHA256=E6D96FF5BCEA3560EDCBBF70F37ABEB413E5EE8418A3CAADD5A5727BB431F0DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:44.386{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:44.386{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A98DE067A38B8B6BC011268707A46DF,SHA256=1B0C164002D95CD22130095B0D213B09DFBDB2CF7529A887AF765D37F073D70F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:45.490{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:45.490{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520081F6E6AB835D8616F2D4A1793A7A,SHA256=DEBA8F00CC5AE22F3CD3E99BECD6366AA41980DDD0867F01C47F98F69A8D3A9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:43.433{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56302-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:46.593{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:46.592{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3474CD80AF1EDF7F8EABECF80F9DF8CA,SHA256=8D4A3C3BCC298A7A4BA219355D1166908C42AF3912F4F3B54F3F73A764A03A5E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:47.601{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:47.601{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76B5FAE2E095E84B62CEE4C7557816E,SHA256=4747D634AC9EBED5475CC5903C949E0511F6409CCA25D19495B5DD1DD73F1ADF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:48.704{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:48.704{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54095EFDCF80574647481385C22ED75C,SHA256=747716074700B16899EB9D27A04C507D3921595C3B36B641DCBE7ED6894B6C3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:50.007{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:50.007{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA03554DC44B6B4082986519131A836,SHA256=F30A06353894E7D902BC9752EA704F562C0DD2AD303838EE242894FBF7B0E224,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:48.448{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56303-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:51.112{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:51.112{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B89C05FB72A8D92C628B19737AB173,SHA256=357467D66B96551B891686A19F211EE2584758120D0B132570B3D3582C7C1152,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:52.216{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:52.216{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68ACB331013E9BD5AC6F5E8701FCDF6B,SHA256=20E94EEA36D80C2A847B50356B0F5C148B9BBE90EC1F5033450C8FD656CC8847,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:53.319{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:53.319{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2805B94098728A3ABEA4EFD4D8514B,SHA256=193A832A241BC12F90491EE3D6B067FABD706A24922C305E31E4635EAC648F7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000246907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.619{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.618{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.617{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.616{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000246866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.423{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:54.423{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517A3CD0740D751EC6F16D1DF0438E5D,SHA256=BA3A7BA5374C757C7F0A1C79720DA48C90EE166C7F831B2F7860167978E37E98,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:55.753{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:55.752{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E67EEA294BC70AF4C84B57FE2B472AB,SHA256=A1D4E1ADC5FDEF3400F96056A8375129E5527398FA26144FBBF76C4F59A0F1B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:56.944{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:56.944{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902062BFD904D049EF8C964D87B8856C,SHA256=6AF795B1BAECD9B81C49DEEA32970CD86995A85387BB5E383EAE584BA5F6D117,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:53.497{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56304-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:56.108{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:24:56.108 23542300x8000000000000000246918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:57.987{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-066MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:57.986{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0662022-04-20 15:24:57.986 11241100x8000000000000000246916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:57.985{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0672022-04-20 15:24:57.985 11241100x8000000000000000246915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:57.950{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:57.950{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B5EB6F6963220253C65855CE0DF53A,SHA256=1D0EB3FCCA737A1020005BD91EAD94354EC1C33B71B1DC772F4713A0BE179D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:58.986{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000246924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:59.982{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF0A84A44152954D8C548C67F0816317,SHA256=7F493D8B4D39E248E521812D92C809F945C8AC62E871D56650C08F05BE5FC020,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:59.290{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000246922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:59.289{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E922CE91A4F824CE5BC5D47D4C35A1DC,SHA256=8347496FD2E3904182C9786F596BE42AE7D3EBC95D8E2B82CFF9AFBA1F538BC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:59.054{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:59.053{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B62C442CBCC3250D77D85E0201052F0,SHA256=5A6D8EB75DF876C26001DD835C84F55443BFEFB1B97361F0430D1842AB974237,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:00.058{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:00.058{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE58207C8782CFE68A409131209389BF,SHA256=9CE86D0A293078F8818B4132A4249CD69F7D836DDF3D0C3A740C331666B32548,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:24:58.536{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56305-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:01.162{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:01.162{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BD710AA5A16C25124FFD675B359F77,SHA256=BFF8129696D6330215F8877A0D49FFEAC1D59A04A0AC5F830F4D10B75538F2A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:02.168{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:02.168{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7007CD897A8F4803CFF1F3EEFEE0DA58,SHA256=08C17AB1BFF63D4B29941F44411150C98CEC1B963332593E52160D18C7A95995,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:03.428{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000246934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:03.428{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:03.172{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:03.172{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932D08282A2C22E24D07DE0C32E473CA,SHA256=3DABE393758D5B2425654143EBF0EED014675316F75A1DBC3C63A7B29D5E6600,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:01.833{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56306-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000246937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:04.176{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:04.176{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B3204C87628E259A63A05394301D61,SHA256=B5E2DF06843086DE9E02787EACF57485A85CD245BEF5F70CD54AACE0E625095A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:05.281{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:05.281{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E1B2DC64F0DBFEFD707E0E91123AC6,SHA256=F4CB72BE05298E9316F0CCA853A1BE74F50CADB3E0E12258044A211B496927E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:03.617{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56307-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:06.384{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:06.384{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28145500D77C36E1E839345A2A9BD85E,SHA256=B0027F52B7A5A523E7331F990CCD793633712E28AE91AEDDC5F27AFEC53D46E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:07.490{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:07.490{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5347F5D138C5991DDD57D80E36D050B9,SHA256=1CC2DC5DDE3BE5C179DE8C6A8CB6BC61DE2A9902634606791BD9071AA3178E25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:08.593{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:08.592{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67522F63E369CB925B2FBEB47376E43,SHA256=355FD2FF01A70931B696315A1CD3D8FB673E2C84497DD0883E5401A13EEBE53F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:09.697{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:09.697{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B12A3FB761CD9B83481B0906B77DE0,SHA256=FAAF7B47BA79CA3F5B70E5308B0FBAC6AE1BC2800B904865165E0DD3139E19BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:10.802{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:10.802{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FF2302554A7906672135A2E782D4AE,SHA256=DA093F46F029CA6FE267725B487F0BA65C922B8C924BB9DB6CF5BB69E877CB0E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:11.808{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:11.808{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0641328E4D7596F2DEA88D65B92534,SHA256=FA410790186819411FA6FFCB83DC7804315E63AA8C7C31841093E00590085DC2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:12.912{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:12.912{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B7FC21704FE25B7D3F018D1FF6ADEE,SHA256=077ECEF89B46230ED4D2A397E408E8176EE0DF40360111975AC4E54272FD083A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:09.601{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56308-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:14.723{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000246959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:14.723{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=E6D16EE4CA58320B18C02F22D3D6B671,SHA256=61089F8803AE73E9F3274CEAA670CE4586DEB2BA222663ACA60E8B5E98621FAE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:14.016{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:14.015{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E1B75FFC8DA391BA4B36444817412A,SHA256=0B044E52BF3245CBF048F1E02A27047B46B29C19A0C8C613B808141CFC5CFF0A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:15.120{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:15.120{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278D854CC50C1C5BC76ED14AC206D767,SHA256=C086D6162EA16B195313B593AB57EEFD0B4A91D986D8AD3A291149D959928D2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:16.224{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:16.223{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188CA607882D07B80B2B6C139D2D20D0,SHA256=1CF5EB56700CAE830B26B760E6E5F46201E82979775A95E85EA4EFF3719DA623,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:17.328{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:17.327{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9173A64C76DA549F8DD3A58BBE27E94A,SHA256=0539478C281300FC3B573658523CE4DFFC4E963F167E54EE9437C46304C4FC53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:15.599{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56309-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:18.432{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:18.432{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020BB42B318D259161F085BC2DC478DA,SHA256=EF80F5543B4B0AED2064ED875A041B8AC00C73C68956443AC35F5DCC2078E2AF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:19.536{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:19.536{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62846E0D92B9C1A5A355F5A6C9A04FD,SHA256=5BF9BDF113E523C781E282218DE3027AB2D5A1AD261E909969C9940F0E74A80B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:20.643{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:20.643{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB206A9D1824239BF64867C9FF5CDD7A,SHA256=574555065773BFBD763E54A42B124AF0091A72684B5CFE95247E94B23E26AF91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:21.648{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:21.648{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC0D7A216A0171041EB9F0B455C66F6,SHA256=596B8213230848C07CB1C90E646674678E49B0378FDFF59FE9987F6AC344EFC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:22.662{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:22.662{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44A33E643D54E7AEF28F386E053EE91,SHA256=5E9D9AFC17EBE3520ABEFC97FBE07775B410D35E56FEB652F2087B2E2A8266A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:23.766{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:23.766{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83FA7148DCE2EA93440721CF6029A3C,SHA256=66DBDBF747EDD95277BE7BA077E37DF2DE08D6C2151E27B3260B6553C9343B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:24.869{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:24.868{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAB46B53A131A77BE8FAEBDC0327405,SHA256=60DB70777535E05504CF52574EB1C9BA2FEA98E7158CC6E4D7C76E6AC1A04C00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000246980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:20.662{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56310-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000246984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:25.878{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:25.877{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0279F26BC7FFB8095632B98261F34087,SHA256=F72D558882712C330243A8DB7D6C6CE5E45DFE0C1DDE67549E3A08E679551932,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:26.982{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:26.982{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3E03E178ECE8E7FBFA551BDE16C1A2,SHA256=D6AC73B4EF1E7D8554E69566311D67C21A20E46AA91C6884D96C3A5C32892CC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:26.097{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:25:26.097 11241100x8000000000000000246989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:28.085{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:28.084{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A53409F808909DCB76C2D6CEDFE283,SHA256=E98BF66FA2E229B73B12A1B1FE9908130B184EE4F5B38A273070A4C4F9E20AC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:26.488{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56311-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000247044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.672{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000247043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.671{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.670{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.670{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.525{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.525{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.525{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.524{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.522{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.522{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.522{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.521{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.516{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.515{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.515{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.515{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.515{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.514{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.513{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.512{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.512{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.512{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000247005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.512{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.511{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.511{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.510{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.510{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.510{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000246999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.510{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.510{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.509{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.509{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000246995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.509{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000246994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.509{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000246993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.509{8D845A55-25E9-6260-1203-000000004402}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000246992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.218{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AE30D885F43F137D5EBD5D289E808E01,SHA256=081DD97987E3878D7021A0FF22F3B43EA7AA10B1D1046758D4C7BDA259DC9576,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000246991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.090{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000246990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:29.090{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D0EC30FDA714A4897076FDA021A159,SHA256=CA00CB0AAF93097A29A50AF8DA15029DD9568BE9211950E48B1C204217829C38,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000247155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.876{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.876{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.875{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.875{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.874{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.872{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.872{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.872{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.872{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.865{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.864{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.864{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.864{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.864{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.864{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.864{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.863{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.863{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.863{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.863{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.863{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.863{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.862{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.862{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000247131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.862{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.862{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.861{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.861{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.861{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.861{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.860{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.860{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.860{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.860{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.860{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.859{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000247119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.858{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.858{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.857{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.857{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000247115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.857{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.856{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000247113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.856{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.856{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.855{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.855{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.855{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.855{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000247107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:27.733{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56312-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000247106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:27.732{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56312-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000247105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.422{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000247104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.422{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0175078DD785CF79A418F43B544B030,SHA256=B77BA0345330552499B0FFDCB5A0DEB1A7AE74B394324A5F7CCEF6F398E43DE2,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.351{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000247102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.350{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.349{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.348{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000247099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.326{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.325{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B372CD8390BCD00AFC18C493C02ECEEF,SHA256=65E295B3B9F3AE859234943E1698899E46AAB27F02DFC18D6BEF57D1A3F94F41,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000247097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.209{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.209{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.208{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.207{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.206{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.206{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.205{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.205{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.199{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000247088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.198{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.198{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.197{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.197{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.197{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.197{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.197{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.196{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000247066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.195{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.194{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000247063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.194{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000247062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.194{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000247061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.194{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000247060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.193{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.193{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.193{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000247057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.192{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.192{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.191{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.191{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.191{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000247052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.191{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.190{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.190{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.190{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.190{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.190{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:30.189{8D845A55-25EA-6260-1303-000000004402}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000247215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.876{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000247214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.875{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000247213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.874{8D845A55-25EB-6260-1503-000000004402}61323084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.874{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.873{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.741{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.740{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.740{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.739{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.738{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.738{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.737{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.737{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.730{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.730{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.730{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.729{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.729{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.729{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.729{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.728{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.728{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.728{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.728{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.728{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.728{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.728{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.727{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.726{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.726{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.726{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.725{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.725{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.725{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.724{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.724{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000247170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.723{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.723{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.723{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.723{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.723{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.723{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.723{8D845A55-25EB-6260-1503-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000247163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.362{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.362{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A005D28A2261F8140A9C9E8E1A9A5A,SHA256=27A5FE425BC6658820A7475E23308C65DB980D6D6342A748D2AAA7925B9A833C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.098{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.098{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA42CCD8952B1231FC0E285F4427925,SHA256=9C28492C8F5E2A52DFE50D764E13B604C6A6318570803020E39120F9A5E4B589,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.021{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000247158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.019{8D845A55-25EA-6260-1403-000000004402}6108104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.019{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.018{8D845A55-25EA-6260-1403-000000004402}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 534500x8000000000000000247270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.537{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000247269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.536{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000247268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.535{8D845A55-25EC-6260-1603-000000004402}15524512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.529{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.528{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000247265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.514{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.513{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D6A7D50EF0F8CAE90DBF561E92AA88,SHA256=A3CB3F22642AF8495D11F5A226DE8705AEC816C3C0A9490B53B254A7C819D20B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000247263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.396{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.396{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.396{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.395{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.393{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.393{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.393{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.392{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.387{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.386{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.386{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.386{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.386{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.386{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.385{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.384{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.383{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000247228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.383{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.382{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.382{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.382{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.381{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.381{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000247222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.381{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.381{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.380{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.380{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.380{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.380{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:32.380{8D845A55-25EC-6260-1603-000000004402}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000247378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.880{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000247377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.879{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.878{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.877{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.738{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.737{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.737{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.736{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.735{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.735{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.734{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.728{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.728{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.728{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.728{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.728{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000247360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.727{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.726{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.725{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.725{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.725{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.725{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000247342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.724{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.724{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.724{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.724{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000247338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.723{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.723{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.722{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.722{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.722{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000247333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.722{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.721{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.721{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.721{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.721{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.721{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.721{8D845A55-25ED-6260-1803-000000004402}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000247326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.537{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.537{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194841CCDDAD706FA20F45174FBD4E4D,SHA256=9F1B6BAEB9BC0D714AD15EF0ED3C8B56EA0C86623EC2EAB3A3A4B5CEFFD00402,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.534{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.534{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7DB0F9E601CF51A52D1E9697C4F6D5,SHA256=FDDA10D105CF77D7B0C0478250B2B22230F68B4022F00865EA1CF6D495EB5120,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.202{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000247321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.201{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000247320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.200{8D845A55-25ED-6260-1703-000000004402}58005948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.200{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.199{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.061{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.061{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.060{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.059{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.058{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.057{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.057{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.057{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.051{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.050{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.050{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.050{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.049{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.049{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.049{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.049{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.049{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.049{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.049{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.048{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.047{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.047{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.047{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.047{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.047{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.047{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.046{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.045{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.045{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.045{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000247277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:33.044{8D845A55-25ED-6260-1703-000000004402}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000247379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:31.520{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56313-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:35.861{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:35.861{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461D3524105BA58D71F80193C180C7D0,SHA256=1A17BF49326113BF534417E2B548A029281E5680ADA27ABCA9D2F1EFD7A29F60,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:35.057{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:35.057{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405FB798022C76F0A54DD2FCBC6B55B9,SHA256=5C6C04D1B0F36A32A64677CC7ADF50490AED90BB2AA3D2D6449348E543361F89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:36.865{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:36.865{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA9D9B2DF621B51B95184918E8AFC97,SHA256=9F8E4D0B9858F83AE7F8BD793368399D4F0848B2B871A1AF600550BD41FF37E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:37.970{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:37.970{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061D00E7C0A1694196DC2D2C3D9BD006,SHA256=0DBCD34DC4710860D2E17FC97634F674F1B46D6583E4DB43F2C853A1E3B46367,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:38.973{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:38.973{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2798B1801346E82A128B0577C639602E,SHA256=CDC183879C17A9572356490313B11A942E9463B036E3B8387B1753E0F016727D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:36.535{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56314-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:40.076{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:40.076{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173FFDE3B23B7869D4F889C2D96E5BC7,SHA256=146A9A4ACC07ED56404102D097554C9C39100A001AA98EDC171E9891027A693C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:41.179{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:41.179{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07CBACE0F1E9CAB186522ABFC1DF187,SHA256=EF7C846573FE0B93C670172DE8A65C4936C3F083C667FC9C2727F33403E73316,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:42.182{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:42.182{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2EB25408AC43CFD30DCD33AA8FE6EB,SHA256=36829D6466EF0261034C63C2C5730D2B694D057BB2F96D341D4FAB7C2132F5CA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:43.286{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:43.286{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A262A421A75E2B4FDE566A4686297D,SHA256=F4F8B28DBF1B55DB5A9B8D8EA9C9F67152D5E16810337AD8C9981A2A73980520,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:41.603{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56315-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:44.389{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:44.388{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D7E06FA3308B805FABD6FBB4E739AD,SHA256=7DDF8C511050399ABBB7529B8E051AD4B2634833DF42F4C3DD585223F1F44586,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:45.392{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:45.392{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E571A6BD6D22B8923F94518F7947B0,SHA256=EEF887B8D6361BE812E811EFDE965092A76E323437C8890C6C1A187217280026,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:46.498{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:46.497{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BC5972A002E2E9CCD889777EB92F5B,SHA256=22044A472F26C677D9F8D9508FB9465BACE20998519230D9B6B52ACF5681C0DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:47.504{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:47.504{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C890BF73032C4B7B6D95898202A92A6E,SHA256=6B1D5BE31F7D9DAEF77E46BA2B59904F1C98945E5850D8C9E401B711A37BBB52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:48.607{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:48.606{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959FC807A2F8B0C5EF64481421749769,SHA256=4F0C7B906E5F45340248A75591448185388E14CB4C7A89E6021E5DA2431510A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:49.611{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:49.610{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0C6F8AABB232E036452ADE2EA617AA,SHA256=F178963F7685886B95F83DA596E78B8F52C46CDE51E7819F3C4656020290134D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:47.458{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56316-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:50.714{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:50.714{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BE4D021BFE6B11166C6CE38E55EF9B,SHA256=9A3B1245DC8F13C88A28746AE6AC9DC9CFAC706E34499D925E60F848D80E4E46,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:51.819{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:51.819{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DE7580729C7D8BDDB84D8776CF705F,SHA256=F01AD36B2DBD56601EBB7F64F55BA79899EACDCEF06830D2A3FF7A49C0EF20F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:52.922{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:52.922{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF36740D7D74D67D5CA269CA24E3D777,SHA256=2F364E270D4F5315C6C515A72DE7B821F8D73C88239F2E1571D020361165F567,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:53.927{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:53.927{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4897EDA00B4ECB1EA1D483FDD0C78135,SHA256=D25A7928BC31AD84D96562DD4356A87184B321D0FA792A33A449F51503FE006B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:55.031{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:55.030{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F91F10C8E59B724690AE581E794830,SHA256=69A61F24337E38A6A62D5E0FE75CA7F4DF07A95FE37C0A38AA9A406397D2D9A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:52.538{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56317-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:56.103{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:25:56.103 11241100x8000000000000000247424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:56.038{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:56.037{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9633991614EDE8943A03D716DECBABDC,SHA256=6E4A8E610E3BC2DB93E2548798AFE851645F115BF69BD25061DC0A00BA849C7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:57.042{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:57.042{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0742014D3A489004D8DC33A9EBAD6EB,SHA256=DA1EE7D1EE3D1EAE6DE9A82432E97C9D8345C0866FE3F7D7CACAE4721B25E814,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:58.145{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:58.145{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAA7A7D0F4ABE4614DC3D7E73BDE34D,SHA256=A1866F6600960DEAEDFC456DD7E7E4B159616168A61DB21A16981538659E64EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000247440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.492{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-067MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.491{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0672022-04-20 15:25:59.491 11241100x8000000000000000247438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.490{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0682022-04-20 15:25:59.490 23542300x8000000000000000247437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.463{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=20F37849DC0573327DBE5CFF3F4C693E,SHA256=A55FC00025B92C925345E304F26EBC55D35C5700BE18952F786F1BA537E880F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.293{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000247435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.292{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1A27F1AE512FC74A89B783FDCB0C5ABC,SHA256=EBE464B9F79679C2B2E1BD35224F87E39432CFD0AB6FBEC04DC81ECA0A373F3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.251{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.251{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA37DEF2B45283C1B899B3D8F788D65,SHA256=92FFA65293112C657968EE9196B5BCD2EDD9D90053954A8F056BAF9A17E01ED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000247432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.222{8D845A55-159D-6260-1600-000000004402}12924936C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:59.222{8D845A55-159D-6260-1600-000000004402}12924936C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000247443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:00.491{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:00.259{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:00.259{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA770AD67BBC86937AE3BE1EFF96085,SHA256=BCA21BF5C4F41D082BD014E02D747137B8A96CA08057CB065A3259CA6F62DB01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:01.273{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:01.273{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F253F6CE83DCE95D8558CA603B5A887D,SHA256=2B662A8B8EF5788EFADEE1CE7E3BA2DFB806E4A7E330957DD222B94B301BB32F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:02.279{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:02.279{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BCF6F55E0D1437AFC34099C5279D7BB,SHA256=9EFB914E13134191E4826D69DA9E2019F104713E57AD3CE55252487E627E086B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:25:58.422{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56318-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:03.436{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000247452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:03.436{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:03.386{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:03.386{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F66852B6E730DEB7B7DF5F8AF791C93,SHA256=CA493B2CFD3398FCE6D5EEBF1912B887790919CB9C39B4990BD92973D3C5CB1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000247449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:03.068{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-1596-6260-0100-000000004402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 11241100x8000000000000000247457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:04.493{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:04.493{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120FCFEFFC896CC1955E437DD2127422,SHA256=559671386B6E82EB392E92986DCEB74E372C979BE9B2E2AC67AEED4001F3AEF0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:04.093{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000247454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:04.093{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CD63515A410C02F156D2CAB29600BA3,SHA256=52A958448D5C74CDCE06C9E5D28D689828171DC9AEB720249C37C1C6D1016AD9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:05.597{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:05.596{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4440126066899E7E4F4041B490E55FBC,SHA256=D7078C14E1B9C2B282A8ECE6FF0EB24CBC98F4031F1BE7A8F45CDA0F9FE390E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:01.486{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56319-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000247458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:01.486{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56319-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 11241100x8000000000000000247464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:06.701{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:06.700{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B613CE279E2BF2F89CACE4BD34EDD1,SHA256=99362109C746F45324F40AC0680749EF2C261F9F95EB9C2004FD6F8A0A756F89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:01.850{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56320-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000247467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:07.804{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:07.804{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7736108F0B2B0538EB6BE6B81A387120,SHA256=F3624AEBB6BFFC25B3F105E7005F3FB3D245F9BA0834643E694C2FE37E2D6897,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:03.532{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56321-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:08.909{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:08.909{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623D87FF8F6BFF16C876AC2EDC29E09C,SHA256=30859D549EB68FD6C3C3AA4E4E64FB3023B804A73BF2534F9646964EA56D0137,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:10.012{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:10.012{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9A64B1FA0E3DF3E0A3D0844914A85E,SHA256=A850DAC619CFE1AC00C2C409531A68CAC48FAEFCB824D672E788B8E227789A25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:11.115{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:11.115{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD38406EFEEB83FF500403BB862321A,SHA256=E13D5C03B6E3A2311DC47AB43719019A2954A8789946D0BF033BF76369C00662,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:12.220{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:12.219{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E599D1FF0F66AF612C3EB119144DC0,SHA256=8C3A32A24EF7CE8C5253281034AB4202591383308B46A0BE5E481055CB74215A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:13.324{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:13.322{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA11FAE7143F25B5CF5A169197A38287,SHA256=AB01D224769F2C55DA9FBDBAC2DF46D2516081F1E25068D4E087AECB57D4434D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:09.519{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56322-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:14.821{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000247481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:14.821{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41DD566A2985DA9E5308E024F608384B,SHA256=E52322E1C2C33F065200B416CE1B754821662E5E320D2458D33E1FB214EBB4C2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:14.429{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:14.429{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A994E05D22DB6C82233410207FEB49,SHA256=DEB2E825F534E359EA80E87EACB7722ADB9187F19F8E972A293B4B1C0355B71C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:15.535{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:15.534{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA98705111B1E32330040A89014B852B,SHA256=5665C5BE70EECE3D2F036148343BA8D8F35CB3B2DC859ED5974BEA6F26B43772,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:16.638{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:16.638{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13ABEFCC9C50155BAAF0FD5843900E38,SHA256=CD11C3EC932C983229192D524E14EBB172CEE0741309FFC32D4E75564BC68274,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:17.742{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:17.742{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFD5B3C732C7E4BBF6D9B9E54F17756,SHA256=C50F1A1E3E7C98EFDFE3FA11DAC1C4DF39D23ED50BC3BCFE2F7CC7B7F6C62EFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:18.746{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:18.746{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C4EB028611AE9FCA8B284699CE49AD,SHA256=D2991D8973A5AE8CDC98582F5852E26B9F0957FD74B51FF1C8110531C3BCE068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:14.580{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56323-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:19.849{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:19.849{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=173C9871F3EF8F87D58AEF663E4DC507,SHA256=4142B2E3299C2682AA2BEE8B9A25C078DE53F807C4236E7B825C173006E8714F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:20.855{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:20.855{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E441152E0C03EF535B26F1C0C74426,SHA256=834F9F6FE062773FCE7C08B4BE25DF0D8A9CA4E062191B3279733A33BD56A3F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:21.958{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:21.957{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1A2DFB85F82B10FE01AFFA7F744D16,SHA256=9FBEC4F3614CEC68A8CECABD2508A4D29D6C638F9424BC97FE28CBA04EF673FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:22.964{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:22.964{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CB55A7D4F2860AC865A098AFC4B3D6,SHA256=C9C742EC3F3924DF213B6A5B02F7D34018978A6D51BD9518FF5087CCD53B6B3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000247498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:22.849{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000247503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:19.603{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56324-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:24.067{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:24.067{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283F138BFD894D4862D6EB4EABDBA673,SHA256=C15BCA3A6D768AFCFFDEA83E016CE9A1434BEFD6A7E58F30BEACD6C608DF77EF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:25.173{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:25.173{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=613730AFDFF5776EBA2C56793B7DB82D,SHA256=CB9D09E314BDC3F78CDFE7AB4A99B14346FDD847ADD0B82940DBE7A70DE3DFC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:26.176{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:26.176{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A924DE957E2A908A6227D97F27860137,SHA256=2A5C8D92BC16CA7711937DA1A894074B6E3D4E3E7DF1789569E1A8AEB33979CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:26.091{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:26:26.091 11241100x8000000000000000247510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:27.281{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:27.280{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEDEDAB5898AA2A159324D37D12BA9B,SHA256=6B917CCE9BCB46FA96E506593D731079F11A63DDB62BA910A4619D83E9AAB4F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:28.384{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:28.384{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCC1E58EB7BD65257240266C34A9695,SHA256=2097961A51F5C5C5746498B60431BB8D0BD0B2AB6A5D6706F645E16A565F3778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000247568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.694{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=516818F64F271A9DE36BFFDFBC6A3FB7,SHA256=ECF673084FF992C0FD521D27BA901FBFC56BE98EFA5D274CA6F671DC3C34364C,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.675{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000247566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.674{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.673{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.672{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.519{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.519{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.518{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.517{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.515{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.515{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.515{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.514{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.508{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.507{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.507{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.507{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.507{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.506{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.505{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.505{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.505{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.505{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.505{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.505{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.505{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.504{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.504{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.504{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.504{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000247528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.504{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.503{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.503{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.502{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.502{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.502{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000247522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.502{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.501{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.501{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.501{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.501{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.501{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.500{8D845A55-2625-6260-1903-000000004402}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000247515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.491{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:29.491{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471E785FDC09F8D42E04978DD871E243,SHA256=C9C55A592A993126F8C1C57386807776803B26010CA5E7D68E7CF79F8C019EF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:25.477{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56325-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000247682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.989{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000247681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.987{8D845A55-2626-6260-1B03-000000004402}44121312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.987{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.986{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.853{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.853{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.852{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.852{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.850{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.850{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.850{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.849{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.849{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.843{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.842{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.842{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.842{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.842{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.842{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.842{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.842{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000247654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.841{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.841{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.841{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.840{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.840{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.840{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.839{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.839{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.839{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.839{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.837{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.837{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000247642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.836{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.836{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.836{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.835{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.835{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000247637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.834{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.833{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.833{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.833{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.833{8D845A55-2626-6260-1B03-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000247630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.620{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.620{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B29E157AAB51DB831D5CE304FDAE06B,SHA256=300AFECE2D85BD6B968EAF237351B1E9647836C5E511DCEACE34C0FA8B911918,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.616{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.616{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225BF306D89D5EFFDEF6625026405B11,SHA256=D2580F704BF211B5C67ACE4DD4F03070FBB6742885B69CBB76319CE35CF9666E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.615{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000247625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.615{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8999942C13CA0F5EE6A6B1F122B67F38,SHA256=A950C71D1507DD9FDF0891077F676A6FAE81A4AD3E5D3F6E76E7410E8B1E44F9,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.345{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000247623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.345{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.343{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.343{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.184{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.183{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.183{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.182{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.180{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.180{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.180{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.180{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.173{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000247611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.173{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.172{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.172{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.172{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.172{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.172{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.171{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.171{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.171{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.171{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.171{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.171{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.171{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.170{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.169{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000247588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.169{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000247587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.169{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.169{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000247585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.169{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000247584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.169{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000247583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.168{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.168{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.168{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000247580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.167{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.167{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.166{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.166{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.166{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000247575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.166{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.165{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.165{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.165{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.165{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.165{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.165{8D845A55-2626-6260-1A03-000000004402}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000247736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.887{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 10341000x8000000000000000247735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.885{8D845A55-2627-6260-1C03-000000004402}60684100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.885{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.884{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.883{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.738{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.738{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.737{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.736{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.735{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.735{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.734{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.734{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.728{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.727{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.727{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.727{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.727{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.726{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.726{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.726{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.726{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.726{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.726{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.726{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.725{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.724{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.724{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.724{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.724{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.724{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.723{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.723{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.722{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.722{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.722{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000247691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.721{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.721{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.721{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.721{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.721{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.721{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:31.720{8D845A55-2627-6260-1C03-000000004402}6068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000247684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:27.733{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56326-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000247683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:27.733{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56326-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 734700x8000000000000000247840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.923{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.921{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.921{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.920{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.919{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.919{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.918{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.916{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.910{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.910{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.910{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.909{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.909{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.909{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.909{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.909{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.908{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.907{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.906{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000247805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.906{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.906{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.905{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.905{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.904{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.904{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000247799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.904{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.904{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.903{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.903{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.903{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.903{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.903{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000247792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.660{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.660{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE852674651226207AF68D42C9338D9,SHA256=087243AAE79EB14676DDB3AB42AE38727C2728920DF9924E5D69D4047689AFDB,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.653{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000247789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.652{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000247788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.651{8D845A55-2628-6260-1D03-000000004402}52923948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.651{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.650{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000247785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.404{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.403{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.403{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.402{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.401{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.400{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.400{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.398{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.394{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.393{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.393{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.392{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.391{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.391{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.391{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.391{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.391{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.391{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.391{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000247766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.390{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.390{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.389{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.389{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.389{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.388{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.387{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.387{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.387{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000247750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.386{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.386{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.386{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.385{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.385{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000247745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.385{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.384{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.384{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.384{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.384{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.384{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.384{8D845A55-2628-6260-1D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000247738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.139{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:32.138{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5E0DC91ADF5B2A0457A2D202798D6D,SHA256=81B819D6D8E3979061E124202B6A72DBDC4F52A5CA75DF7EC22583F49619EF3E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.975{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.975{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8807B9CBF7B4B452282FA6CDA61888,SHA256=832B730B101D25EECBE9C7FAC759309EE2A6F835C5F0C32E637F1BE3D1B8B450,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.749{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000247905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.748{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000247904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.747{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.746{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000247902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.681{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.681{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595A571AA88E92BF54E0775DB859733B,SHA256=F619B71A2B3DA30AED0EF4FC5BC8DD230E776EE8CED86E1CB8692832C436423F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000247900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.636{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000247899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.635{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000247898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.635{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF40bd4d.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.634{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF40bd4d.TMP2022-04-20 15:26:33.634 11241100x8000000000000000247896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.630{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OD54DG4PS20Z936RKB24.temp2022-04-20 15:26:33.630 734700x8000000000000000247895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.600{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000247894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.600{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000247893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.599{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000247892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.599{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000247891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.597{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000247890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.597{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000247889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.597{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000247888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.590{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000247887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.590{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000247886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.590{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000247885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.590{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000247884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.590{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000247883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.590{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000247882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.590{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000247881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000247880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000247879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000247878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000247877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000247876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000247875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000247874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000247873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.589{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000247872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.588{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000247871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.588{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000247870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.588{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000247869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.588{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000247868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.588{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000247867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.587{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000247866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.587{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000247865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.587{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000247864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.587{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000247863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.586{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000247862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.586{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000247861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.586{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.586{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000247859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.585{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.585{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000247857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.584{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000247856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.584{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000247855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.584{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000247854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.584{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.583{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.583{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.583{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.583{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000247849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.583{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000247848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.582{8D845A55-2629-6260-1F03-000000004402}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000247847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.160{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.159{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238C13026E02556BEF583D8C3F37C5D7,SHA256=4268517259A0B921BFFE978E7DAFB26493B067BEFCC5CA72F3EEB8B7FE1A0811,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000247845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.077{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000247844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.075{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000247843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.075{8D845A55-2628-6260-1E03-000000004402}53363420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000247842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.061{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000247841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:33.061{8D845A55-2628-6260-1E03-000000004402}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000247909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:30.527{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56327-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:35.239{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:35.238{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E6099E60B1DDEA211FDF3E77E769F7E,SHA256=84C3AD49F55055FCC3F354BD3FFD276D77636CBCAFF63D1AB7BA82E5F5A26833,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:36.341{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:36.341{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6224BC5785A1B1989A42777612022BE8,SHA256=A2977CC2B04C960BBB598DC86DF42654FF4C7A729DC98C887364077747BBC0DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:37.446{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:37.446{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F53B8EB45C6AE2CD34F9CD3C27CB4BD,SHA256=F939091FF275DE0A91EFCDF9A5A1BF2CB74C3FAF002410155007A2B8EFA2229A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:38.549{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:38.549{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4619D27E02826698663A9AB4508224D,SHA256=A827BD80C19B3FECE8AE65A03A1B55118C40CA4971F7461BEBB44958E181F84D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:39.652{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:39.652{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BE5274A3800E7656ACA62C7DEC2236,SHA256=77EA7813BF43A615ED1B56CA219B146438351FB35E59A43F11069ABFC37DCF45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:35.549{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56328-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:40.754{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:40.754{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CDF8D231CDDFA5645C384A47484BFB,SHA256=BE2C37E26A3897E48D5950DC8B6509A7CE92B45070B9DF421687B14804219387,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:41.758{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:41.758{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7871F73A3C4ADC44D601CAC50E9F2E0,SHA256=7269A6437EE9A5B7B3E86674BAE23B74D6F48CE2CBFB10ECED119255595A7E95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:42.861{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:42.860{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F64DA1EBF58C06E691C048359654BD,SHA256=4D54F2ECEEC59C5E7E8CC1E7397EFECFF9D5F3DC9FF3A9A68D5110231DAF0417,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:43.864{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:43.864{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7895DF0E2E3849FF79A35377E526881E,SHA256=1141AE676EE73AF89A72BD899B6C800BD84140E2A1BF288F204453674DF3DF04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:44.968{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:44.968{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC2DA3C0BCF3526C4EC20EC655DA045,SHA256=BB75E38F305EC2AA524DB10BE032917678EE55401F2A5245C3EB3A80ECD6A72B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:40.573{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56329-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:46.071{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:46.070{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D479CA0A3945D20BC5A65A209384BD,SHA256=3E9E0B765A0229A7EC0A695C0000A9DDC3E000F02992440F274A261934C4163E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:47.177{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:47.177{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0145A6806E3103A9758B2D0EF4FCE966,SHA256=B2160CBA4C6B5F9F50C4FB69EACB7FE7471DEED2538A9FE575CA4F5AD2C6C80E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:48.282{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:48.282{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F053719A74046ADE7F1359805880EA3B,SHA256=99772414DDA8550A0A9AAD45CFB600D25A04766708B73D3C33D9CA1A5CB2BE72,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000247946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:26:49.518{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 11241100x8000000000000000247945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.518{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML.TMP2022-04-20 15:26:49.517 13241300x8000000000000000247944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:26:49.514{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Config SourceDWORD (0x00000001) 13241300x8000000000000000247943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:26:49.513{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML 11241100x8000000000000000247942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.513{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML.TMP2022-04-20 15:26:49.513 10341000x8000000000000000247941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.502{8D845A55-159B-6260-0B00-000000004402}636676C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.502{8D845A55-159B-6260-0B00-000000004402}636676C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000247939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.288{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.287{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A759BA74C36605CFAB87F089CDFFE60,SHA256=CCCE02588A8E452C20F13BA74493D23B9A4C92B05349C7E43EC3C728D39DD1E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:50.393{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:50.393{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D7D9571E0434A97E8814FC8120695D,SHA256=A8A93F069CC1B498C050C5F1B68119F35B6C4827A71DC472A2F32072AEC8818A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000247950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:50.347{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:50.344{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:50.344{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000247947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:46.444{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56330-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.422{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000247962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.422{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B344BF2DF06530653D2A94499EC84E2,SHA256=A4134C02EE0930105045CB06EA41E668F9B19371DC457F528F6AEAF9313D2AA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.403{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.403{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FED1B984DF8373238C7CE64471F8E2,SHA256=30769621ED1230987A4CAF16C4BF3403B007783589E814D7C93316C25274EBE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000247959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.350{8D845A55-159B-6260-0B00-000000004402}636676C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.350{8D845A55-159B-6260-0B00-000000004402}636676C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000247957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:47.920{8D845A55-159D-6260-0D00-000000004402}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56331-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000247956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:47.920{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56331-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 10341000x8000000000000000247955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.181{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.178{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000247953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.178{8D845A55-159B-6260-0B00-000000004402}636808C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000247967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:52.507{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:52.507{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C9240DDE9D8625A59C7D2CEF27BFDA,SHA256=4C0CB568A514496E5773E76AEF14400FAF7766917B7A8C5F1F92CBF6FC759C2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:48.759{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56332-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000247964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:48.759{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56332-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000247971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:53.514{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:53.513{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DF72931B16500FC0201D8C687FD76B,SHA256=DE6AA03F54D9DD07C586D234DAF381C2B362886893CE18CEDE2359BF0A436FE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.592{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56333-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000247968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:49.592{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56333-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000247973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:54.617{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:54.617{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA6E70FC716FF37234D560D6951359D,SHA256=6D45C3782AFD865BB6F8B3F1A458D2B235DBBB81E6941A50E5ACFF45A7FCF0BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:55.723{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:55.723{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB8E938A4D7170E458807791D82E844,SHA256=F44B8992D9D3F64321E52D594892D4728463EFCF202B437D48C8F1C282E3B439,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000247974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:51.470{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56334-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000247979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:56.828{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:56.828{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8680CC4141F2EA963DBDCB1C69E408D1,SHA256=A2982574582D223CD6D558ECCE217B1BE43EF051C40D1957A5445213FCB16589,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:56.095{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:26:56.095 11241100x8000000000000000247981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:57.932{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:57.931{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D64A2230DAFC783871EF0A6D4122D460,SHA256=DDCD5DFC40823B555DB128C02FE2AD143D60895E0C693809D2D9E82FDDE62276,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:58.935{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:58.934{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655A41680C38FFCAA2D5E4D4E1F3E76A,SHA256=94CCEE4DC313A55DC05C19983E416A61EF3FD03048FF1F459BA4A35FFE568ACF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:59.942{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:59.941{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCDF04D2344FE51B6715FB4C15DC259,SHA256=F15379A4DA404C125E68EA9AA7B5FA9D48F43BED3C5D4DFB0537685420AD86C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000247986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:59.904{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D988D283184FEE1AC7A6FEC737A9D1F4,SHA256=57202B9C421F049AC0213062003BAE6AE0036710C6E8B4E7E8B59BA8FB4DD36C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:59.296{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000247984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:59.295{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=77799C92D41A2C3367FE90731E867764,SHA256=3B9DDF60E3D8C33BD939BD14E04667B5646F5B0CFA7C7AAD3DDDC66212854A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000247992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:00.998{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-068MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:00.997{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0682022-04-20 15:27:00.997 11241100x8000000000000000247990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:00.996{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0692022-04-20 15:27:00.996 354300x8000000000000000247989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:26:56.525{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56335-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000247995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:01.999{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:01.047{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:01.047{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA26B67B8DF3323DF238C8358CF68586,SHA256=8BD9C9DAA44DA632DD9A64A4D9B5F979C8C0AF1EAEFB1BB876B9D16A472073BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:02.050{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:02.050{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E083F3B9136A1647296F53FB657FB20B,SHA256=BCA193E6EB519A32510E2BCA062F1DB0B747785E92E6B0B29580CE4C6816E345,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.454{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000248000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.454{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000247999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.257{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000247998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.257{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2688598D161DDDD518CB97D6D4D741,SHA256=C358472049136E41180F44C7121CC6DE2B108D1103B85CACCB59E893E6135A92,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:04.364{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:04.364{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BE41C9172ECCB8AB99915CF6119CCB,SHA256=C2243B91ACEDFB67632C4A39CC99DDDF44736C67C6EEAAB5AAC7F019274B8042,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000248010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:05.620{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-1596-6260-0100-000000004402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000248009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:05.527{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:05.518{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000248007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:05.469{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:05.469{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7001636339DBFC52EC5FC575B0FA7F9F,SHA256=750EB007A81365CAC189ABD518CADFF14964D90AD2A0CD58BB85F85F8C9635D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:01.855{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56337-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000248004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:01.630{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56336-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:06.578{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000248013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:06.578{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5716673FDCC14894A18B960F0F91745D,SHA256=ABCF28315B3CE15B5A52A6BA3A5F0611E2CE3D26D36E37B00BA42F0B3F0ECCC1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:06.476{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:06.475{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4A20F055242D512DEC65FAB5DAC204,SHA256=76B7E1E840888AC0604FDC83D79597263F564894EA4586D1121C0049F3C0E43C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:07.481{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:07.481{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C483DC47FA9E5F02E482F0C4CA760271,SHA256=21A6E692A2D8F80EAE92C2EF18450CD6310669C3D68CBC934B650F0A1F3380ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:04.036{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56340-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000248019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:04.036{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56340-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000248018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.944{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56339-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000248017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.944{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56339-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000248016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.937{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56338-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000248015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:03.937{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56338-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000248024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:08.685{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:08.684{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E865A17AA2201AA92C7F3A5EEAC4AE7E,SHA256=975D07802F25D9940B5AEB6C076C0E0AB15B5FE12B03C208B809BEA9489C18D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:09.789{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:09.788{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208A88608BBB5A01DBC167CE05B79E11,SHA256=55DA3429E3A6DCE3D26801865B9C71AEB2E9E859A1072D6982D24842ECD5AA13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:10.891{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:10.891{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E15886576E99AD6924E129DCAA2BDB,SHA256=8390ED960DD6D0288C3C8F5B404BFB70975151512B31E0AE5ABDEE86746A8704,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:11.995{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:11.995{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416B4FE798A27FB6F22FD9C8080EC4A2,SHA256=B456C014A4AE6325AC471A3E316A850E8F4DD152B0CF00BBB58A938C3F5944D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:07.600{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56341-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:13.100{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:13.100{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAAD0EABCB5B0FA98EA9C08BF2C4391,SHA256=B8641DEED61D097C70EA097C0BE12707AF89A3F2B2D4A72A58D2FCDC347B4FE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:14.103{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:14.103{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0475FAB73DC7FBE21E86F2641946619E,SHA256=C5D1F6A57378D6B2706CF0AA6E620548D50D0EE290B783FC406947D7C43C737E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:15.110{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:15.109{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF1664BA5F753E9299BC84A64B5D1F1,SHA256=4860AD51BDB44C1C39929F271CF5F480977084E58D15A6C1A9EE7BDED35AED19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:12.602{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56342-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:16.216{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:16.215{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A173860D998208701478ED4161413CDE,SHA256=BBFB8111F46BA6A1C58E9A4ED588A646761DE267E2024ED2F1AAE554DECB4D28,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:17.400{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000248043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:17.400{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6C517DBD789842B84E17B4A0CFADF62,SHA256=C92389B62E41A6B419CD7E1A42DE3101A05E2216BC6D57083CB5AB42B4FFBEA5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:17.225{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:17.224{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59FBA698FF1AB7A23A583C438A01013,SHA256=9B8730FDFC0C552B37108CD3B758BF34DE3E869A17962355298985C621146AED,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.327{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.327{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1C64F54F94A5DBB12C594F1010415F,SHA256=F1B210898C7FFCCE2E30CD7438CE50BEA8686D2A481BAE98D0A7531F41975D22,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000248051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.286{8D845A55-15DF-6260-8C00-000000004402}4828C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x8000000000000000248050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.286{8D845A55-15DF-6260-8C00-000000004402}48284176C:\Windows\System32\RuntimeBroker.exe{8D845A55-15DF-6260-8E00-000000004402}4888C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3530e 10341000x8000000000000000248049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.286{8D845A55-15DF-6260-8C00-000000004402}48284176C:\Windows\System32\RuntimeBroker.exe{8D845A55-15DF-6260-8E00-000000004402}4888C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be4f|C:\Windows\System32\combase.dll+380bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+545cb|C:\Windows\System32\RPCRT4.dll+54153|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+6518b|C:\Windows\System32\combase.dll+3b20c|C:\Windows\System32\combase.dll+3aec2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c202|C:\Windows\System32\combase.dll+39ab3|C:\Windows\System32\combase.dll+8c40d|C:\Windows\System32\combase.dll+37efc|C:\Windows\System32\combase.dll+36c2f|C:\Windows\System32\combase.dll+52149|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd 734700x8000000000000000248048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.285{8D845A55-15DF-6260-8C00-000000004402}4828C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\OneCoreCommonProxyStub.dll10.0.14393.2395 (rs1_release_inmarket.180714-1932)OneCore Common Proxy StubMicrosoft® Windows® Operating SystemMicrosoft CorporationOneCoreCommonProxyStub.dllMD5=02CEC1566FB0709923FF7A9FEC254D96,SHA256=81BED60AEB79C489E9F79996A3F0AB626E6CA247EBB656B6B9897C47A39F6AFB,IMPHASH=69A8B7E9F373278F52FE45A83CE3A380trueMicrosoft WindowsValid 734700x8000000000000000248047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.284{8D845A55-15DF-6260-8C00-000000004402}4828C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\WinTypes.dll10.0.14393.5006 (rs1_release.220301-1704)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=D1B9571F41DC710F183D12AF1A4C1E08,SHA256=CD08667B811DF8472D38DF0D3DD7268D2A5802D2B4116BAB6A562F1E3789536A,IMPHASH=58F905117CF0434AF54A7CD9D43EEF30trueMicrosoft WindowsValid 734700x8000000000000000248046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.284{8D845A55-15DF-6260-8C00-000000004402}4828C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\tokenbinding.dll10.0.14393.2363 (rs1_release.180625-1741)Token Binding ProtocolMicrosoft® Windows® Operating SystemMicrosoft Corporationtokenbinding.dllMD5=8AD65F608FD6964085B365A43F8DBEA4,SHA256=E088353C88877763D4E5BB6EB7FB55C81908DF639A9AF89EECA546FD9EDB18DE,IMPHASH=EDBDD2E193CED10C0D380B250BFC13C5trueMicrosoft WindowsValid 734700x8000000000000000248045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:18.284{8D845A55-15DF-6260-8C00-000000004402}4828C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\TokenBroker.dll10.0.14393.4169 (rs1_release.210107-1130)Token BrokerMicrosoft® Windows® Operating SystemMicrosoft CorporationTokenBroker.dllMD5=9ECF3BE652A6FF4B5C4744697FDDABA2,SHA256=00DF6190CBF64C8840C1B9068A844D4A6584E6D82C8C6FD78CFDB10184F815C7,IMPHASH=F91C8ACC62DFD3D725FAC2A0CBB6AA8FtrueMicrosoft WindowsValid 11241100x8000000000000000248055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:19.333{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:19.333{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438723D65738B53D28CAD084A92BB95F,SHA256=5530D72A24410DCE8A601E4B9827C4C200B511C8509040FCE21ACBCBED3D8053,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:20.341{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:20.341{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD37D2013A9A30BD0F71B88397EAFFEF,SHA256=4944D0C17C06483EDF0BB4F3C8E392461EE50ACB7A11EAD3178D04931205FA10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:16.712{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56344-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local49666- 354300x8000000000000000248058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:16.712{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56344-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local49666- 354300x8000000000000000248057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:16.711{8D845A55-159D-6260-0D00-000000004402}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56343-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000248056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:16.711{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56343-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 11241100x8000000000000000248064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:21.345{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:21.345{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4189B1C438F5AB0652BDD00A56E495,SHA256=3DA4FCF3533952E818FE93E5F3721758954C4C50C6C06D2623DCF382E6E20E69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:17.611{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56345-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:22.448{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:22.447{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323E9089B777CE56C4AA55A77941B0A8,SHA256=6D8E06C89BA8B5CD85BF22E904C1191ABFE0E19EBAF5F028A3BB8AEC51F3060E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:23.552{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:23.552{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C58BE26A8E2131C32240D9F1EC19FCE,SHA256=1A17635E8CEE7B8F87D0B90DEDEB3571C538A451F7C515D755927346879FA3F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:24.657{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:24.657{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7FDB88251A640E328F325079E48F9F,SHA256=5E43DBBEB68022595D6D76FB27FCFA817E3F3CC8547EABBF42A66F77D948D674,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:25.763{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:25.762{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C0830CFC271743CD8F569D2B694697,SHA256=5364BB8800E2127489C696D6EA9134622B5A437D83E5E918CEA077769E11AFE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:26.866{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:26.866{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497B8D58C27C1A8586139F0546C2D447,SHA256=C5EEC5D9837D676DF219445B3CA74D495FC922420005050880DDAB2D0DF726B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:23.427{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56346-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:26.103{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:27:26.103 11241100x8000000000000000248078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:27.969{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:27.968{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61F4D87A3983AD8B36019ABE4A0CD4A,SHA256=C5779364D6A72535FF20476E8DC22CB47320AC71611F94540C09F693D31882C3,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000248137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.717{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000248136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.716{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.715{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.714{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.534{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.533{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.533{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.532{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.530{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.530{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.530{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.529{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.515{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000248124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.515{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.514{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.514{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.513{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.513{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.513{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.513{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.513{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.513{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.512{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.512{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.512{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.512{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.512{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.512{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.512{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000248101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000248099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000248098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.511{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000248097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.510{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000248096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.510{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.510{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.509{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000248093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.509{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.508{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.508{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.507{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.507{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000248088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.507{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.507{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.507{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.506{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.506{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.506{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.506{8D845A55-2661-6260-2003-000000004402}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000248081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.118{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D889D0BAA2B7C261F0F94C1E24EC35C8,SHA256=465305529FC20014A4EB6BAA57299051232FD8F86E49B37A7127618EAEFFC986,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.072{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:29.072{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF6CA40852836EE87B7522371C48B3A,SHA256=54E03AD88C4AC801E3141B1948C1EC58BDB09A3B5018C6DCA9D310B8FE136937,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.930{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.930{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE3A31535B92699F9BD136D465391AF,SHA256=79FA01F749F4DC21D54258F1547A82379F08E13E35677C1FB16A429BF40B84B4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000248241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.867{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.866{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.866{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.865{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.864{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.864{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.863{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.863{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.857{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.857{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.856{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.856{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.856{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.856{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.855{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.854{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.853{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.853{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.853{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.853{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000248206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.853{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.852{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.852{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.851{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.851{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.851{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000248200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.851{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.851{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.850{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.850{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.850{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.850{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.850{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.667{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.667{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9FA714A18DDE2F51345F91D34BB1F4,SHA256=3F29FE1E30F983A829836C514C6E32884CAFD353364F225E4B460D864A0B2DB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.666{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000248190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.666{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=025B2C2E546CD41CF47CEA8E7DD5FB14,SHA256=C9F593CE833CE2E0EFB82F6DC2738C1F71673235D4D026D992745D4BA8207FB2,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000248189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.348{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000248188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.345{8D845A55-2662-6260-2103-000000004402}19124856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.345{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.344{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.190{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.189{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.189{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.188{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.186{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.186{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.186{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.186{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.185{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.179{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.179{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.179{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.178{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.177{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.177{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.177{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000248161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.177{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.176{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.176{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.176{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.176{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.175{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.175{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.175{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.175{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.174{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.174{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.174{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000248149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.173{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.173{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.172{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.172{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.172{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000248144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.171{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.171{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.171{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.171{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.171{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.171{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:30.171{8D845A55-2662-6260-2103-000000004402}1912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000248303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.899{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000248302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.898{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000248301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.896{8D845A55-2663-6260-2303-000000004402}13002472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.896{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.895{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.750{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.750{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.749{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.748{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.747{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.747{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.746{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.746{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.740{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.739{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.739{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.739{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.738{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.738{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.738{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.738{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.738{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.738{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.737{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.736{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.736{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.736{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.736{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.736{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.736{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.736{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.735{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.735{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.734{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.733{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.733{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.733{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000248258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.732{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.732{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.732{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.732{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.732{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.732{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.732{8D845A55-2663-6260-2303-000000004402}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.449{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.448{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471E1100AE441DE40FB45530CBC0BEF8,SHA256=3AC153C2B060DA3B4D354111B3B49B001A1C4FC67561D56F2B4D279B7F9A9666,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:27.746{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56347-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000248248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:27.746{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56347-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 534500x8000000000000000248247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.008{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000248246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.007{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.006{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:31.005{8D845A55-2662-6260-2203-000000004402}4360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 534500x8000000000000000248358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.545{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000248357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.544{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000248356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.543{8D845A55-2664-6260-2403-000000004402}52082780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.543{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.542{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000248353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.490{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.490{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87F4B864FEDEA5214D6B755235520D0,SHA256=23A9177DBDB61FA834E95594BA15B6AA632AAF5127E9A922856467D9B5ACBA10,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000248351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.403{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.403{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.402{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.402{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.400{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.400{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.400{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.399{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.394{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.393{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.393{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.393{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.392{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.391{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.390{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.390{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.390{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.390{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.390{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.389{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.389{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.388{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.388{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.388{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000248311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.388{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.387{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.387{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.387{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.387{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.387{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:32.386{8D845A55-2664-6260-2403-000000004402}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000248304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:28.543{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56348-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000248467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.896{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000248466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.895{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.894{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.892{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.742{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.741{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.741{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.740{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.739{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.738{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.738{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.732{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.732{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.732{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000248449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.731{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.730{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.729{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.729{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.729{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.729{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000248431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.728{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.728{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.728{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.728{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000248427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.727{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.727{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.727{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.726{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000248423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.726{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.726{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000248421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.726{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.725{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.725{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.725{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.725{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.725{8D845A55-2665-6260-2603-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.510{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.510{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0592DB8404B2B1EC61146DFBD20C144B,SHA256=307CAD1D75CC88EAA2DAC293C40B734C30BA04E22F50C6951FBB01676500B3A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.508{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.507{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0D46921F9E4674F33C73DD7671BA4C,SHA256=E21C38557253454EE14FC7A153F040898AE74C9EF75575F32C66568C133B6CBE,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000248411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.212{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000248410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.210{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000248409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.210{8D845A55-2665-6260-2503-000000004402}48242144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.202{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.201{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.067{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.066{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.066{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.065{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.064{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.063{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.063{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.063{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.057{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.056{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.056{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.056{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.055{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.054{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.053{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.053{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.053{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.053{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000248371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.053{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.052{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.052{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.051{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.051{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.051{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000248365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.050{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.050{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.050{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.050{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.050{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.050{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.050{8D845A55-2665-6260-2503-000000004402}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:35.030{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:35.030{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3AA8DA33CCBF44A09150F425C5DE2F,SHA256=D343A49971F2E28B5695C584B34C36C8E97703361D18E01842A8D989F283758C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:36.134{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:36.133{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF5CB294CA1F1B57C05D8E122ACE3C2,SHA256=A89E67AE45E0D61FE69F59C7AE13B35AF94E76FB88DA43657E80CC257CA6EC11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:33.627{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56349-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:37.138{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:37.137{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBEB23098C8809C988980BE5D72D08A,SHA256=E9FBF7B7800D8320A72E1112C75E87BADD89EF826EC02C9D34C13DAB2ED372BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:38.242{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:38.241{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FE14B1D3A9D473ABB8FA7BCBD78B7C,SHA256=486A2883C2EBF119597D622F2E4593558F294A4A36EBB23D1AE1EC29B2FBD83B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:39.345{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:39.344{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC670B174F84E20970199D3AB31908ED,SHA256=3D5C105A199BF54EA84117E351F42E6CF81D0172F01EADA1DCF4971149C7D613,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:40.350{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:40.349{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D6D3C77895867570B0C34E44CD2F2B,SHA256=868FAF396CC397E2E1C8BB47848F2FDB7875BF59A290EA09C6EC025929817957,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:41.457{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:41.456{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07C48A45046F8246529775D3F6AB964,SHA256=9D29A5AEA5714F92F098BE22D9F733DCDB02D022267024C7E1F3500795518CC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:42.561{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:42.561{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63C5925DE062619DF492C08758A291A,SHA256=E5B08EE8995B6871ABE136A1CB3C856173B1D267E8DED8B64883C272A05D1055,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:39.435{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56350-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:43.665{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:43.665{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEC824B409F1FC42F439D6EF71339A7,SHA256=436C31407D50969E020B4CAA271F57F13C9FD0DBE0ED656BE7F01A3CF27CB623,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:44.770{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:44.770{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1983E917E7849BDA0A11F266B110ECB,SHA256=9C5CD9E494129FDE8A4DB6D81D687C7D1CD4576259A2621E3D53FAF9A4A555E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:45.783{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:45.782{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E79BFA7C6A7F7E8FD46803377EE6E4,SHA256=0145A813EFFC6BBD0068C042FD051F5B63AA0A1FF6F81BC24CBBA4336BECFC8D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:46.888{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:46.887{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1297ACD73F8719DCE8F5E1E55541A738,SHA256=5F8DCB6FA8661C564184FB837F4C0F1273994C2FCEBBDCE490E70D9BAE019D8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:47.992{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:47.991{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70F9522483B9DA10AC0802C20096426,SHA256=FAC04C10DA41151C85B0D0C442D9F78AD0115E64709D06950A1458EC37F2B688,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:44.504{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56351-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:49.094{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:49.094{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435D6319078697613A65737A549088AC,SHA256=BF79404E80D4FC5084E28A9528D52486F965BFA247DC977C538ED92978E59E59,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:50.198{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:50.197{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9982D54DFAE2A0047A3A61DDAAD0EC0B,SHA256=FD6F0536B55C19D762565D58B9ADF517511447392A09A2358FD7F7689AA2C4C1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:51.301{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:51.301{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABCCECDFE8A3C6753D028D305CB04DB,SHA256=3B2AC554261A3200B02FA49514450F2946F5933D04D1A1A4D5278012A623A4EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:52.411{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:52.411{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD43111AE2239108565FFFE33A1CD215,SHA256=9ADE4581FD8719A9B6A00367A424E69B157367E29BC2857C9296441924F7BD86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:49.608{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56352-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:53.514{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:53.514{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D852E279899717B0A9CAC30052D04F32,SHA256=8AEB0E549402AA7E5E2BDDC8B2192D2DDB626BF62706BE721F07AED2EE53A3BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:54.617{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:54.617{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B8BFBA6AC1FB5A0505B83E3505ACEA,SHA256=575950680E5410048422A7F771787EDF565438F058371EF18389C1535F25B17C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:55.720{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:55.720{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72AEF15053B0AEFEE6660115169970A,SHA256=E37B4A8EBF96BBADA6CF84ACC410722DB3330081F1AF8A04650173F32647DA27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:56.825{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:56.825{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0828AF2D8A8123D3DB44E84A413D71B7,SHA256=794B8D39DE5E404FCFAC53ECD44E3EA0036D78908CFDF5FB78BCD7D2D9315D9B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:56.107{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:27:56.107 11241100x8000000000000000248516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:57.828{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:57.827{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99CC8C0F61807EB6E324990C7B5D9766,SHA256=A32E9073D67DF06B8AE2049DAB7613DE618FFACDCF6F287218C21DCFAF1F6E3F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:58.934{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:58.933{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F32DA3D8EDD467EBF22788E98EEFC61,SHA256=8117CA6B32B8C5AD8CBCB53BBDFF19E871FD978A57D8163E180F5D749690CFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:55.461{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56353-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:59.939{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:59.939{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B878A9A6955BE0EC08C4289186F982,SHA256=074349175F64F49E80B8217B6C36299AACD0F511FC5E9080A76C6EBBC499B75B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:59.298{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000248521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:59.298{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=57DE85D8F157888B97AF2EF52E9751E7,SHA256=F87CD7408FBD4017912E88B20DBB96C808EB7A244369F8928EF59828C27DE9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000248520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:27:59.297{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=34FE32DC34179681258B643191BBCD4C,SHA256=C946C0227084352A5E50F27876DEA2AE7BB7803D5370CA1FF6A56737847A2506,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:01.045{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:01.044{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806F1EF4EA27C965CC31848D440C3B57,SHA256=8B22B36E9EF40CEDB765EF0A4FAF6E97E2F99ACAF2A3CA69DAA1F1428FCE9511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000248531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:02.506{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-069MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:02.505{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0692022-04-20 15:28:02.505 11241100x8000000000000000248529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:02.504{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0702022-04-20 15:28:02.504 11241100x8000000000000000248528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:02.149{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:02.149{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90744F7CAF048CAC53B2BC1640E97D46,SHA256=08080F4E4F6909B43B6B51C9C86CC258E77B930AA619B91CD5D4542654B04859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000248537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:03.505{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:03.473{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000248535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:03.473{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:00.502{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56354-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:03.253{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:03.252{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE70BD70B9875055EDA49F5D7A6850F,SHA256=469A4CEBB5708B0881227F86A873DA0ED26B4DE8A1B0B2C853D2887923176909,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:04.258{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:04.258{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE764B3E86478DDF8BAFD8AE65B64ED,SHA256=796FCC4B7DDAD6D9ADB5F669EACB37DB1DFC78A683AE4DFF18677373576B8D7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:05.363{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:05.363{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12048FEAEF01AAFC40B7FAC33B469B65,SHA256=D32C7B9FEC8DE2C6F29CAA9A349FB4FCBBAC5C12ABB610DCEAE9ECDD9E90B4A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:01.873{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56355-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000248544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:06.366{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:06.366{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A66FB3B5BFFF9A39CF419E2E80BA3E,SHA256=CA658A01CD72BB3A86DBA75F3CA5AFB5C8F2617ECCA905E653C1B51FBE62658C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:07.472{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:07.472{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144E4070C7BBF26D9A07A8317C8403A7,SHA256=361C8F2E78987F5AD097F8DBFBBCC4EECCE5A6C006CA108037F97D2165CDF681,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:08.477{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:08.477{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB50038BA7F53AD84FCA27BC5983D33,SHA256=D39E2C1CA30542E259812FB0F321EC59A015845218DA31CE3C6249B09ABBAF04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:05.591{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56356-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:09.580{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:09.580{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B41FB2ADBF6360F816ECD51DE2F02A,SHA256=00BAB2C632ABE9EE9E1CD3332A3BAE08314BCE5D6B8187C10B60F1DA8A9B07B4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:10.686{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:10.685{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56DF8D42DC4EDBA64720338A5F27C06,SHA256=F5B44F5F0065A24200E4919339EEFF1E5C5EF8F1E08C95441B2E536FE16959BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:11.790{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:11.790{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3FEEAC2AD2C5485C42E82ACB809CBC,SHA256=92AEA17A9C40AB89ABB5C00EDD1F01DD621399942B306F9EDDB5E2CB52285ED7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:12.799{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:12.798{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20894643E719F608007B2593051854B,SHA256=FB537DFA7D01E982EE81A1AA5FCA4CC95B654277B741442EDF7E2C9371FC4CDB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:13.904{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:13.904{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F042C308AEBA8D153AFB8F3DF87143A,SHA256=0305CE9AA4550B8112FE935872C6CF93BA91BFB25D4F5FCC653138F1F4874CDD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:14.910{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:14.909{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888A816ED44810BB6E1E9C3A15D6E81D,SHA256=0B4E2CC19FF92B147E92D5A448F67C13CD418B47456F2E71C581FE5B8164DBDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:10.593{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56357-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:16.014{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:16.014{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58696470593C4A81CF25CEC0CFF3203,SHA256=237C757C207E749EFD0FED01A505CC890A88E4947256E1FAAAD0C8A237EF79FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:17.117{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:17.116{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DB20C78BEE87F26DAC205CCD4CA901,SHA256=0E7D0691D0665D247AEEAC68CE0A009991CF2A7A6763C95372A6435C413FA335,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:15.614{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56358-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:18.121{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:18.121{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132E34828F06930687A85DF8D99F772B,SHA256=1AEEC278AAE9EDE9D912323979A1F9BA6F5DA458F45F069C64A5EF369EA390B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000248574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:19.481{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:19.480{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:19.480{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1500-000000004402}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000248571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:19.225{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:19.225{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B09265F6046239E502C6FE77338870,SHA256=ED6B0920205ADFA6E453BBBA0B93ED827D9196BD0488AFE9611EE29614A22C96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:20.332{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:20.331{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09ED9118E8B94BCB502BAEA7315898DF,SHA256=C3EB0200E0BC64370A6D56E61382A9B251CC2A8582EF9D066FC3FA181FE81AB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:21.438{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:21.437{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE0F2B6E716596763BB91B3F58AFF06,SHA256=FF8DB30C0681302A23618D9BBF1F533F1BA513F654842F742FBF902C4737E4D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:22.540{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:22.540{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D044BDB7B558771CC1EB0F89405B01,SHA256=FC4D342426CFB23AE8EA95D8760572E83B33782ACF68C12241B360D93C5CFDF9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:23.643{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:23.643{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85DF6EDD7BF1AD9470CF2ECD0AC3C99,SHA256=EC7398E9849B73179A04A07899DC5F0F5ECE89C06541C109AE203C21EE134F78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:24.748{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:24.748{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D4828C5A5FB374E9ECED36E0E3398A,SHA256=E9D38BDC916E4550FC5F6FEAFDF74693A2A8FA99C355834F683287C679E50E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:20.639{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:25.752{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:25.751{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A55567A1A2CEBE1AC48DA80EEE5FDB,SHA256=1AA61D0DB851B5B6CF75BB439ABA1DD22E074464898A592F727E826F605E86D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:26.856{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:26.856{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99C97FED76195688A57F7C011C2699A,SHA256=231D7ACE7B49AC0F3BD5BC98F0CB1C59C31C51C6369DA04690A00CF65958AED2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:26.104{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:28:26.104 11241100x8000000000000000248592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:27.959{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:27.959{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E124CE672F755EF4D43E03BCF3BBB7,SHA256=07BF2F6C9D5DE4FFA06C100C8A5BBAAC3709620350EA3D90FE8FD1169A9287AF,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000248648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.675{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000248647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.674{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.673{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.671{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000248644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:26.602{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000248643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.510{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=44C3B8F4AEB5CF9C881D317FD4A42A90,SHA256=BB505287D27C68827E3088405A416A0E33A4BE564E0EB1BEB809D9B266771230,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000248642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.455{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.455{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.454{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.453{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.451{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.451{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.451{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.450{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.444{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.444{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.444{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.443{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.443{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.443{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.443{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.443{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.443{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.442{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.441{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000248607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.440{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.440{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.439{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.439{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.438{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.438{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000248601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.438{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.438{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.437{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.437{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.437{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.437{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.437{8D845A55-269D-6260-2703-000000004402}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.062{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:29.062{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0004E97A501356DBC413C55B70BF22,SHA256=1B6C67B0A7BE4E9E07ABCA4FC94E44A1DE64D272BB6C2E189D013E7CC84EA9D7,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000248760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.974{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000248759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.973{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.972{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.971{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.809{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.807{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.807{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.807{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.806{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.804{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.804{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.804{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.794{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000248747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.794{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.794{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.793{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.792{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000248724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.790{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.790{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000248722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.790{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000248721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.790{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000248720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.790{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000248719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.789{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.789{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.789{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000248716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.788{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.788{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000248711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.787{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.786{8D845A55-269E-6260-2903-000000004402}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.512{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.512{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910A5F8D8BA5956B943E932DCD82A24C,SHA256=C6E24EC4CE4B172FA50C8BA0B2EA2E7A1E28155CAD251B71D6148D5F79AB6BA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.511{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000248701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.508{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06E9410845B4E033F9758E54BD3BEB68,SHA256=56EF60F83F71672316BB43FE2B4C2B0132CD40189AAF7209456886BF9912AAE9,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000248700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.306{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000248699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.304{8D845A55-269E-6260-2803-000000004402}52686040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.304{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.303{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.139{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.139{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.139{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.138{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.136{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.136{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.136{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.135{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.135{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.128{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.127{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.127{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.127{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.127{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.126{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.126{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.126{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.126{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.126{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.126{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.126{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.125{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.125{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.125{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000248672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.125{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.124{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.124{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.124{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.124{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.123{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.123{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.123{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.123{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.123{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.123{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.121{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000248660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.121{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.120{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.120{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000248657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.120{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.120{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000248655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.120{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.120{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000248653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.119{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.119{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.119{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.118{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:30.119{8D845A55-269E-6260-2803-000000004402}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000248818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.915{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000248817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.914{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000248816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.913{8D845A55-269F-6260-2A03-000000004402}1045884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.913{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.912{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.749{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.748{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.748{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.747{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.746{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.746{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.746{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.745{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.739{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.739{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.739{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.739{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.738{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.738{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.737{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.736{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.735{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.735{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.735{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.734{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.734{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.734{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.733{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.733{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000248773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.733{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.732{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.732{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.732{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.732{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.732{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.732{8D845A55-269F-6260-2A03-000000004402}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000248766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:27.760{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000248765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:27.760{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000248764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.293{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.293{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBE2A68D63335B3B403367B0DC0B6BE,SHA256=9F5DBE3BE7038E03831DB27458D79D9C10CDEB3A37EB89CE0D9055A878CA822B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.030{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:31.030{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC42D2EC8B56D905B5AA2FD36DF3C719,SHA256=0DC7ED233462D8CD4CD898683A5BD0301E83A1E9ACDAA3BBD1A8E61904906F1E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.831{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.829{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9650A66677B438903A2B505AAF7FB7,SHA256=838A9B850AD2F95E1074E231856C6D41483068928305804945F0AA86EE251D51,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000248871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.567{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000248870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.566{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000248869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.565{8D845A55-26A0-6260-2B03-000000004402}51844088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.558{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.558{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000248866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.405{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.405{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.405{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.403{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.402{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.402{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.401{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.401{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.395{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.395{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.395{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.394{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.394{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.394{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.394{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.393{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.392{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.392{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.392{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.392{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.392{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.392{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.391{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.391{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.391{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.391{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000248831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.391{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.390{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.389{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.389{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.388{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.388{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000248825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.388{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.387{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.387{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.387{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.387{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.387{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.387{8D845A55-26A0-6260-2B03-000000004402}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000248990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.790{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000248989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.789{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000248988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.788{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.787{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000248986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.639{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000248985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.639{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000248984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.639{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF42920d.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.637{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF42920d.TMP2022-04-20 15:28:33.637 734700x8000000000000000248982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.633{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 11241100x8000000000000000248981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.633{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SJTBVRHH4QTVMNILMB8X.temp2022-04-20 15:28:33.632 734700x8000000000000000248980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.633{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.632{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.631{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.630{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.630{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.629{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.623{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.623{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.623{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.622{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.622{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.622{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.622{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.622{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000248966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.621{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.620{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.620{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.620{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.620{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.620{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.620{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.619{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.619{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.619{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000248949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.619{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.618{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.618{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.618{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000248945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.617{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.617{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.616{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.616{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.615{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000248940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.615{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.615{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.615{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.615{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.614{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.614{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.614{8D845A55-26A1-6260-2D03-000000004402}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.613{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.613{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4581A9D79D01D87E4738F362F5FC1003,SHA256=2E3939EFD683C1C0EA0A45FA2D679A06EAA9931D610C8E05CD79C13F9CF297F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.258{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2022-04-20 15:28:33.258 11241100x8000000000000000248930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.258{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2022-04-20 15:28:33.258 11241100x8000000000000000248929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.249{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2022-04-20 15:28:33.249 11241100x8000000000000000248928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.249{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2022-04-20 15:28:33.249 534500x8000000000000000248927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.213{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000248926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.211{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000248925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.211{8D845A55-26A1-6260-2C03-000000004402}19724512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.211{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000248923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.210{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000248922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.094{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.094{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D490806BCBC76A6E257DEB2A16FE00,SHA256=007923AF56D1C6411F005753C5495E3C6F31E922D08916C6E828F26D92B86F47,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000248920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.064{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000248919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.063{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000248918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.063{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000248917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.062{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000248916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.061{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000248915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.060{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000248914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.060{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000248913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.060{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000248912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.052{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000248911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.052{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000248910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.051{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000248909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.051{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000248908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.051{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000248907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.051{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000248906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000248905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000248904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000248902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000248901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000248900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000248899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.050{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000248898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000248897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000248896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000248895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000248894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000248893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000248892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000248891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000248890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000248889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000248888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000248887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.049{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000248886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.048{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000248885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.048{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000248884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.047{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000248883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.047{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000248882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.046{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000248881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.046{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000248880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.046{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.045{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.045{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.045{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000248876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.045{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000248875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.045{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000248874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:33.044{8D845A55-26A1-6260-2C03-000000004402}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000248992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:35.137{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:35.136{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8227A8D7CA467FCB7F356244FF771678,SHA256=18BA6D99D4E7EC9AEEE352C6854C066D3C11184B200B4761C586021FBA0DBA81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000248995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:32.419{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000248994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:36.231{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:36.231{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ED37F480A3E77C7645385D633DDFCA,SHA256=06C3BDFAEE15867BEEDCB9DA180AB51A2202341EDD66CE1893AAF03F9FD3E8E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:37.336{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:37.336{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EEE98B7E1EB8AA1E4A43763685E7F5,SHA256=5DD8251A7C30B96690AA5D33948558F3601022FC30692106C1103058B1AE799C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000248999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:38.440{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000248998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:38.440{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA65374C45E86F7DD368BEDC519B7EA,SHA256=4460A7979B5E835CE47330CC7015A592C2C30D64EAE42FFFC3D80C954DBDBE4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:39.543{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:39.543{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5664DD609976F658F12053324621910B,SHA256=207FC34DF79E0DB9ECBD3948D32380B4DE6B7A9FBBC7ACD612E85E641ED8CBD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:40.649{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:40.648{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BEA7E2DC7C896FC3D83FB5B0FC4EC1,SHA256=A6F567CF664A023F464A029FC025A7BE2F698EF1DB7A3A4F8E403B025B643CCE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:41.753{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:41.753{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E8D180D7B92D221B3ACD1A347FF335,SHA256=460DC42FECEDE24294E91401AD1A5F4A2FAFF8D59BBD15EC69842B3F91227786,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:37.500{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:42.858{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:42.858{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B296CB615F67EB5C92A8673E2C1E50E2,SHA256=0A29EC95608156340563232B51F5A86E439F46B8C9D073C87B0B2F9AA870FEA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000249047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.846{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.845{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.844{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.844{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.844{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.844{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.844{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.844{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:43.844{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000249049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:44.277{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:44.277{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFC03374CF7B87D1153629F6238BD3E,SHA256=995C3462651270C403A61D6253606EFDD2CDFAA1A0E2F4A51F7DED47D49E35F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:42.619{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:45.378{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:45.378{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61E36FA3D1DFF30E8709E8C71A10B0A3,SHA256=A09F4B0D224BD84A0AD3D6E63DF352C9EF91D42B1F39668D0171733F49E34778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:45.264{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:45.263{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=EE313D7EE6A4608BD12D94332D7DBFB2,SHA256=2C1136726EEF9965191523028851C3906E05538B546A345DCD7B02B598684288,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:46.481{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:46.481{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B6C0F34BEB8989DEDF1C8D62CF0B29,SHA256=04687605E09C1C3AD58CBD4D8F1A4B2D41791B5670576AC58563BC2B57059B51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:47.486{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:47.486{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DA2708E7B584B9104ABC5732DD1861,SHA256=C4FC0515D8C8D5DC78BBFB775F895D1F4BEBA706F7FFDEB101DD0B5C38480E77,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:48.592{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:48.591{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FB5A9F5EF2DD0E62B31D0C3A47B932,SHA256=F087A727E6879155353DDF474BDF8184BF25D9EAB89CF908FBBAF5DA2A4B5B15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:49.696{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:49.696{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187C7CF6090267967E8B935F3429802C,SHA256=D551832D76EFE40336277EBA5DA1E787B56EEE4DBF73588C56235D6CF6B95EE3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:50.800{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:50.799{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121CE673C708D6A49144BFA59F0087E0,SHA256=AA5F267065E2027E23E054FC96D380CD7E34ED2DB1F2BB3229C2D3EE95279BE5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:51.903{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:51.903{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9E1ED0BBEBB4C57C5A29022F4582C6,SHA256=69D6CBCB04D8AFB062497673C639AC316665F1208A408F94662C9CC32E5C8B2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:48.457{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:53.007{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:53.007{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12498E6455A4AA62FB0BFA99B7AE14CC,SHA256=437B01A9AD28592BF4E1B2084BC9ED10AD982F6510C430F334E6380FFE2387DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:54.110{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:54.110{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E647BD6BB9B13BDEB03E04F5E9606AE,SHA256=2CDA37807040302B24A99EBF335400738429FE914DCB44D70F14620F2327A7B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:55.212{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:55.212{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC40406E20A699715E911A15923C975,SHA256=DE58A854BF4F96078A6C1F79A3AC2EAB10985D81B3D7A5CAB4CBAAA021222759,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:53.508{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56366-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:56.316{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:56.316{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A450D055C753A33ED67B03D1B5FAAC,SHA256=780E56DBEA05BBA5908400A49355D572497C4020834D923FF5A77515D48F8034,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:56.095{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:28:56.095 11241100x8000000000000000249079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:57.419{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:57.418{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24956C4B5A063D83B0CC2C99BF5A38D,SHA256=2073C1BE864019DB39BE7DB1CB7424981662902795F89610B101AF71330AAC9E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:58.521{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:58.521{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A13CBDF97A7806E836802988F51086A,SHA256=2B2C4702977C1FA4F693F362890845BFEB1DF15428B078B6429D536C2C396630,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:59.625{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:59.625{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96267660E60759620293425F6D4DFF1,SHA256=42DF1FED6F3DE241ACEFEF0CC4537AD089D9599ECFECE9DC9C7933CBE4291857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:59.533{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9581C2662AF74269E58115347A5C0D63,SHA256=7769682C621906C65FC2BAAD46BC21C555A96720588F39BD6AFDFD05EFC4EE12,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:59.303{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000249082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:59.302{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D34ACC2F0A0BE1AC62EA1A4451E6E68D,SHA256=8F7356AF22E1094C6216046739E5E5C046D9D466B122E1A6818725291BC39394,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:00.643{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:00.643{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9F5BAFE816B556BE71ADA0F01F5641,SHA256=BCC1CD345EBEB74171B34B89921A162D1551A8519B611146CC074E579BA97388,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000249096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000249095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0042f9a1) 13241300x8000000000000000249094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c2-0xf9c575ea) 13241300x8000000000000000249093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854cb-0x5b89ddea) 13241300x8000000000000000249092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d3-0xbd4e45ea) 13241300x8000000000000000249091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000249090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0042f9a1) 13241300x8000000000000000249089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d854c2-0xf9c575ea) 13241300x8000000000000000249088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d854cb-0x5b89ddea) 13241300x8000000000000000249087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:00.147{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d854d3-0xbd4e45ea) 11241100x8000000000000000249100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:01.748{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:01.748{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170B0743F5C5951221A67A03707B03F7,SHA256=6863D0D14D9C8F6773A46EE3305BD547DCC5CD0778651B6612042F4471E5E2BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:02.753{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:02.753{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EBFADDBC725771E7848F51887D0483E,SHA256=A0ADA792222E082C3420157BA26C6ED4AC39F7A7C820894B55C2773B7863849F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:28:58.568{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:03.858{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:03.857{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3748BF6069EABF538860F281EC472DD8,SHA256=B44771EA4761F3EF74F0C9BB9A0EC831343151C1A00615797CCCD2295D26BC97,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:03.492{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000249104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:03.492{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:04.963{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:04.962{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2278B1A9EB6601F77FE6AF57F79219F5,SHA256=ED08FFF93C9C8E135C687910AFB25A7FAF14684F63F38B7F0049C8365302FD98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:04.013{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-070MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:04.012{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0702022-04-20 15:29:04.012 11241100x8000000000000000249108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:04.011{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0712022-04-20 15:29:04.011 354300x8000000000000000249114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:01.889{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56368-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000249113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:05.011{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-071MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:03.660{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56369-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:06.068{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:06.067{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8435316D266B5031675771E0A0FA6042,SHA256=4ED30DCBF38109D5EC06F4FF27ABD2C2E7DF4346781EB4F44E7906A6828AC088,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:07.175{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:07.175{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF707F8A945D5B558B591EA3304E48A,SHA256=EFE52AD6F2786FDC3002A35B3FC4EA92893873373B3302E904EE0ABB7AE7EE91,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:08.281{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:08.281{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3D47D0CEE93F2EE8E653ED2039732B,SHA256=3CD922D7BD4837EFCABCDA22351CA1F1B20CF66D0D37ECBD0F127F804B001F0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:09.388{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:09.388{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4B76E355AD0317BF4ED5F67A8CCDF0,SHA256=A2FE5B91D5FE56DC7D11BC09C65AC806C71E2DED2305096E5BD0DE29092648E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:10.491{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:10.491{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A7ADA0945E9BA1B1F7935123D80808,SHA256=4DD870F46B784FDF4EBE00206F63315AB36D3530F2439B92F8D6BDFB8110CC40,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:11.596{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:11.596{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C880FBB59AF1AEEEF0E966E77AA435F,SHA256=E8A59411571F5014692A99E57F82F791760C8F9B59CFFEDEE834CAB1F0941424,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:12.700{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:12.699{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9491C2F323DEE197456F69BF3ACC3E,SHA256=0FEECF3E614A01B7376242FF11BEC98EBB3D5DAC6EA821BF325B810B6E5D1780,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:09.513{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:13.703{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:13.703{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B97E1B7A858A97B3A0C2635FCD82F1,SHA256=B91D6B23A134B5F675C0045283C8C8D37AB4A67E11E4ACDD749E914AB63AF6A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:14.807{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:14.806{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FFE5EE02C720760E392D15ED703888,SHA256=FA0C65D9B71CD79DBC1155D3FE9060BF4C9A0B93070BC9527C032AFDBA2FB296,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:15.911{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:15.911{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8C7CE832D368417B2BCC66653CDC38,SHA256=E38F490EEF5E061569558A48AD5DE1477823C3CE0CBFFBFCC2D76F6FD0FCDCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:14.563{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56371-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:17.015{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:17.014{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F426DD739577400C86728D90F0867EE8,SHA256=07F54BE91BE939630CB1D073AAEA59DA5F98B2D37A8A56E0DD18B5689581BF63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:18.118{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:18.118{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63B5BAB8D1CFBB3B7EB47596656D5C9D,SHA256=7E5358AED301F6A264AE06EFAB4380469B79A5D1FF0383B9257216B6AB681BB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:19.221{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:19.221{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321E55B7A3C345877BE07EDD705D2F3F,SHA256=81879E3108CCFB3CD84FEEB3BD98143953A3DEECCB536094FB9017DB784F414F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:20.325{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:20.324{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844F24F4CAF24EA5CD25BD555D259BD4,SHA256=CF7136BB612FB4F3E4875DF69C64221F3B984C3A70CB0DAF2110740B18C5EEB2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:21.432{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:21.432{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9A30E5CAF26A42048740B5D8AF3659,SHA256=03AEF4CB3C75054B4515A2AA9547E527E6AA61F1C83D87E98F55622C6C958027,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:19.612{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:22.536{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:22.536{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D2973C73DCEC644AFBC3547CD56791,SHA256=9B36AAF33E411FAD196067EE1233395A803D91BA94F8989522E6489F4C7FB0A6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:23.643{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:23.642{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390D06279E6E11DEE205716D16517540,SHA256=10E61FD68513E0480C49612B0CC9E216F5713489C543C3F4F7B418C1FF7B0009,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:24.746{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:24.745{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B65E9F335FAF612ED7B78375ADAC1F5,SHA256=2F862474D4A33CA551A51DC2BE1C010190821F3E6A7D1051981191F577B5D232,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:25.850{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:25.850{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AEAA8935335138A80AF820AAB98D27,SHA256=04BF993865C33CE07B6415410361F82885B4F2A6CC828C3C3E5A9527D3532937,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:26.855{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:26.855{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFA3E36181E382B29474838B7D343DE,SHA256=11E2F83C984C6430DBCFB1E6460F2A731A5248D6A3F3C9829DF7A7297A164235,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:26.108{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:29:26.108 11241100x8000000000000000249161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:27.959{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:27.959{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3186E90764EB9601D222556380DC8F,SHA256=86E8FDB5D7A3464BB55CDA02B84E424830CDD02F4D58F8B75110C47E5E8C3923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:25.513{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56373-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000249221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.778{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=763C5F327F5E81B867A6C39FA99F6E67,SHA256=26E7034635188C50257959002466D5AD5D134421AD4B0F348DD2D41EB43B2D1F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000249220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.614{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000249219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.614{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000249218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.612{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.612{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.459{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.458{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.458{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.457{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.456{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.455{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.455{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.454{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.448{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000249207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.448{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.447{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.447{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.447{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.447{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.446{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.446{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.446{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.445{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.445{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.444{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000249184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000249182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.443{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000249181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.442{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000249180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.442{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000249179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.441{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.441{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.441{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000249176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.440{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.440{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.440{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.439{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.439{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000249171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.439{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.438{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.438{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.438{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.438{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.438{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.438{8D845A55-26D9-6260-2E03-000000004402}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000249164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.062{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:29.061{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3A020F235D7C74A2C0DFCEBEA778B5,SHA256=9F195C1BE7F0077AD4F4A9405E81B09CCCF5652ACAE2642B78735ABD58ADE507,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000249327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.891{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.891{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.890{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.890{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.888{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.888{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.888{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.887{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.882{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.881{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.881{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.881{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.881{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.881{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.881{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.880{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.880{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.880{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.880{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.880{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.880{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.880{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.879{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.878{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.878{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.878{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.878{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000249293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.878{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.878{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.877{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.877{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.876{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.876{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.876{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000249286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.876{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.876{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.875{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.875{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.875{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.875{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.875{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000249279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:27.761{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000249278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:27.761{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000249277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.538{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.538{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC3C88BE3F24A3DE3A11159DDC64892,SHA256=05DC0AEB92824113B2E5BF914AB484E856942C5C62F4280971CAA9877C8EEE03,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.537{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000249274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.537{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FAF2A7E5D4A339E6324AF863779C148,SHA256=9C5038A916D137591A4BD7A5339E303702A5C530F69D746376CBDA891C3F6861,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000249273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.387{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000249272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.378{8D845A55-26DA-6260-2F03-000000004402}61321872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.378{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.377{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.123{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.122{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.121{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.121{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.119{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.119{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.118{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.118{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.117{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000249260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.110{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.110{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.110{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.110{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.110{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.110{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.109{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.109{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.109{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.109{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.109{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.109{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.109{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.108{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.108{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000249245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.108{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.108{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.107{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.107{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.107{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.106{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.105{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.105{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.105{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.105{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.104{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.104{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000249233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.103{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.103{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.103{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.102{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.102{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000249228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.102{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.101{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.101{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.101{8D845A55-159C-6260-0C00-000000004402}8444504C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.101{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.101{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.101{8D845A55-26DA-6260-2F03-000000004402}6132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000249387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.920{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000249386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.918{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000249385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.918{8D845A55-26DB-6260-3103-000000004402}44124668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.918{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.917{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.753{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.752{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.752{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.751{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.750{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.750{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.749{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.749{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.743{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.743{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.742{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.742{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.742{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.741{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.741{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.741{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.741{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.741{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.740{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.739{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.739{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.739{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.739{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.739{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.739{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.738{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.737{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.737{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.737{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.735{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000249342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.735{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.735{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.734{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.734{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.734{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.734{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.733{8D845A55-26DB-6260-3103-000000004402}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000249335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.263{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.262{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631F1472163338F8B29788373600EDA9,SHA256=207DB89E7C2C87020CC56CFD06B5EAC6E86B3F599A8EF51FCD3C222ECA181330,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.056{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.056{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11875E2D2F8309356DCD9CC7BA684BD,SHA256=C343A3E3A819B4E58D537110A581D3C55164B0E72794F3C5DA5CA1AB49131170,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000249331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.022{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000249330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.021{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000249329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.020{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:31.019{8D845A55-26DA-6260-3003-000000004402}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.957{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.957{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.956{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.956{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.954{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.954{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.954{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.953{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.948{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.947{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.947{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.947{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.947{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.946{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.946{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.946{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.946{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.946{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.945{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.944{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.944{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.944{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.944{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000249456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.944{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.944{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.944{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.943{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.942{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.942{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.942{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.942{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000249448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.941{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.941{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.941{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.941{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.941{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.941{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.941{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000249441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.473{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000249440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.472{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000249439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.471{8D845A55-26DC-6260-3203-000000004402}9565824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.471{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.470{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.298{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.298{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.298{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.297{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.296{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.295{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.295{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.294{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.289{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.288{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.288{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 11241100x8000000000000000249425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.288{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.288{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C56063077910D2FF3A07CA79943C48,SHA256=72B9F86D1A96D62E5D8D2500CF9C9651B1DD4751731EF4D283AFAA7DCF7A8C3F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000249423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.288{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.287{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.287{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.287{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.287{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.287{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.287{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.287{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.286{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.286{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.286{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.285{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.284{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.284{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.284{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.283{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.283{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.282{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.282{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.282{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000249394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.281{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.281{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.281{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.281{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.281{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.280{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:32.280{8D845A55-26DC-6260-3203-000000004402}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000249553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.777{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000249552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.777{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000249551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.775{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.775{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000249549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:30.529{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56375-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000249548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.635{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.634{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.634{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.633{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.632{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.632{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.631{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.625{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.625{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.625{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.625{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.625{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.625{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000249535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.625{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.624{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.624{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.624{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.624{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.624{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.624{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.623{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.622{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.622{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.622{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.622{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000249516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.621{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.621{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.621{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.621{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000249512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.620{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.619{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.619{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.619{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.619{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000249507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.618{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.618{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.618{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.618{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.618{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.618{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.617{8D845A55-26DD-6260-3403-000000004402}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000249500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.335{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.335{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C40109EF5CBB133587F4421A6BA9FB,SHA256=30A130FB7E72922724D6AC1593546E6769FA2BC000AB89AE0F79B81EF4159D86,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.332{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.332{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B51E1C43955848514EF10B3C7C2CC5C,SHA256=4856F21417270BB13A8C7E4279D88EE26DF7123F2CAA9ECE229AE8DC077F0A2E,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000249496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.100{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000249495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.098{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000249494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.098{8D845A55-26DC-6260-3303-000000004402}16324932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.092{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.091{8D845A55-26DC-6260-3303-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000249491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.026{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-pingMD5=6EB7BC630EF759BB65064C4FBBF6F508,SHA256=3936B84C67CBD9AB2BCD155FC01755213CF08F23766F0C51578CE457A59F6E0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:33.021{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\aborted-session-ping.tmp2022-04-20 15:29:33.020 11241100x8000000000000000249555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:34.861{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:34.861{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C321E49D5D8880518EDD609ABB86049,SHA256=D11E32ED56EB93314D1AB5B13ED2FCD480E9BF470D2883ACEF15CA52C84B6E81,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:35.963{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:35.963{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D432497B9DDAA4996EAAF871C6A1887C,SHA256=DB51DBBBD2548CAAD3E0EB9D5F1E2B1F8A6186522845573A97ACB33227D96947,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:37.068{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:37.068{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DED881A516680C3194CB4D18FE391A8,SHA256=56694FFF93FC4A2F428978F13DF10E9780E64E30008D652943BF58AEBDCF09F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:38.177{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:38.177{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1817A6FFCD4A921C2B022228ECCB471,SHA256=BB80258DC3A9954906BB31EB537BE80A94AFD4D4B90330ACC9CF1DDF3B3B63F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:36.490{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56376-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:39.280{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:39.280{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEB96776E385D7418AAEE0D39A72D68,SHA256=A2C1765B12C081436099E4AC66B89030D793401A808BD7B6A7DC6319800A4879,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:40.421{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000249567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:40.421{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=448F649B539CCE1B64F4B4E4C3223B7F,SHA256=009C27756536F9A47A3C6D81F82B1EF995728E2762CBF76CDB9B26BD1315D69C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:40.384{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:40.384{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771696864B4FBBD1756AF2F9A0F4A86E,SHA256=899AAF8447BAB2FEC314E17B64D433D80251089BA0E2706794BEF13D7BC6F8D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:41.489{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:41.489{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF03C428EDE7527EC91C3CBF0B08894C,SHA256=0A180C99D8B4503C049294E9A5035A749C71B72C4A99BEA75B15FDF6C2187552,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:42.592{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:42.592{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D13576DAC77D685723B2762323EB765,SHA256=86248518DE1358CE1C5D311BF128DEEE6383AF5892AE0B86A303A8BDEED67A69,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000249575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:29:43.892{8D845A55-159D-6260-1200-000000004402}504C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d854cb-0x75cda158) 11241100x8000000000000000249574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:43.697{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:43.696{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75233C6DBA4767244418AB0B1DBB086B,SHA256=4F8DD92232935FD18750873632554CB6C5ACD423D00EB510775C44B0F9E8B5E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:44.801{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:44.801{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E050A4D287CCA41612EB1868489ECD3B,SHA256=745FFF752571E2F41E7DBDB92E479F923AC9C02489242463838024C305F4B5AC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:45.904{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:45.904{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFD44EC731FD570966FFFF7DC76E7AC,SHA256=2E4A4006E6162FA3CF95CEE66C2D78D94B34FEDB0CC83B4507EFDC1EB4250E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:42.475{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:47.108{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:47.107{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6A2331D68C71852520F25BEADFAEF5,SHA256=9CDA2BB362BD5905D8F9BE7833D6B0234EFED24D04DED6CBBF0FF89263A73B11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:48.211{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:48.211{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB4EA191045137297323EF90D7EF36E0,SHA256=BB2BF3312EF90250DBD7AB2D7130EAC17AABB86216119B334920F3FCECAE1ADF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:49.314{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:49.314{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0591781B4B855867AEDC2262C24D4E2,SHA256=5BD638D0F23A1D7F2F03EE3022326BE5F9284B893ED8DE7361344A769911232B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:47.543{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:50.439{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000249589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:50.439{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=71F7D99E840167462B98B5409C212B32,SHA256=8D0F5908D9579FD067F7BB4D4B22920253CC226E821762011A61AE68DD4261FA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:50.417{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:50.417{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED563077F0AE7C8A4D21AD76AD7C1787,SHA256=A0D51BD046973CCAF8A72F1D5DDA9A3C622AB6700D455E95A96BC12BB9769AE9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:51.522{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:51.521{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACFF5D531CB849DD90CE2131969D75D9,SHA256=13E5E3D5ACF52AAD2FF1953356CB2F2FF5AAF68DCCE40A3F10523DB2D3E535BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:52.626{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:52.625{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BFE9A351410CE5209EFD9B942B0E060,SHA256=F654CA5C31AF59713A101A64E072B007FEBEA97F12531CF4F973FAF222182F70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:53.630{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:53.629{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABDDB7B825FD7471467A65D770401E3,SHA256=7ADD3144469F92C9CF66A251201952DBEA98F13AC43579A94DE7E85FC694712C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:54.735{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:54.735{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF86497F8A2020D36357683C4E4F88C,SHA256=B46A1F1BCB7CADE467BEADE2488EADDDECD7689588DD6D830473ECC584A15B89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:55.838{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:55.838{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1ECC1AB6B69C3D8F715C1080F88315,SHA256=A97CA3C37C93FE3A7E05ECB43BA2DBB9DDBC40EF2D15A1DC31342747B718218A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:56.941{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:56.941{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD808A5E8A172200816024D99D0536,SHA256=91A7CEBD60F3690F9860F8C34A81AD7B3DE14819A782E6725AA65CCE3DD3F7FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:52.598{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:56.111{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:29:56.111 11241100x8000000000000000249607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:57.946{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:57.945{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB4813D0DC4D1BDED24DB9F496E91D3,SHA256=CA69F70D102177AE2C5779CCE007659096C463F000ADC42168022F101837FF15,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:59.306{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000249610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:59.305{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=16F987FB8B252603CF39B4A2AFC48575,SHA256=B6FE347C7F41FCC2DF3F336DCF0424FC58BA0B9F898EDF87961A7C8C904A282B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:59.052{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:59.052{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612B170E8B6D3FB186363B992923494B,SHA256=0B3F3F5F71581256B75852A099DA1ABBDDA5B5BCF713BD428CAE516CBCA65EDF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:00.158{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:00.157{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796212AFBD473796FAF6F138E339A29,SHA256=BA2C2D99934A693DEDCF01E15198FC75695E060AAC7F4D216CAF23D6C5DAC2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:59.999{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9322C9D62EA23D25FFA99EC763D53313,SHA256=44557DFC646A47B1A79FE2F469740EE7CDC5A98857329641265EAA20527A9124,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:29:58.474{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56380-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:01.260{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:01.259{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE592C95D8B4B1D82B5F591A2D696F87,SHA256=A37EED450A65554686B44530F3BF2CD3C67BFB5B5882E9544E220B8D656407F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:02.366{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:02.366{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7CE6A0692C2BDED6984C044D266691,SHA256=169899FA58E66160CEC04E74881470919A2F622C97C77035DD2582A10DDC6CEA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:03.515{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000249622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:03.514{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:03.468{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:03.468{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF069877D1B8F500C1EB0FB21AEBB58B,SHA256=A38277057E6526CF49F5A9CC7B19F7D579A8D3D74A43B719DB1A1F1BF30DC474,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:04.574{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:04.572{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A31DE81941FA60BC43F3615C57E6A9F,SHA256=5CF34C50C303D6CE44BE68346970A45B26D81311F51ACB146780E4F2FB3363F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:01.908{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000249630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:05.578{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:05.577{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4106C875B1FDCB6C2CD1A7329494916,SHA256=17D9C99529DA2B6CBF9753800AFFE3BA3868442E7A9D344BF9960C49C2F967C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:05.519{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-071MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:05.518{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0712022-04-20 15:30:05.518 11241100x8000000000000000249626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:05.517{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0722022-04-20 15:30:05.517 354300x8000000000000000249635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:03.513{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:06.683{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:06.683{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F9899DB65B8C03DA80D1C131AB934F,SHA256=A86608DFD202851BE8983BAAD13216F333CD51F0629C367E28AEF381487BD5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:06.519{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-072MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:07.787{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:07.787{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA5EA9B67676ED75042C6CBB674F0A4A,SHA256=DDD47F866659CA743E5C84FA48106BCDA4FD6D14CF4E1483B5D7C42B6707F6A8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:08.792{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:08.792{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF20CBAB9B6245DA05D048D4BCE0C3B0,SHA256=C784F36CBC885FC8F7BF4D9E2B18B34700333952394D93E5A29A1A37F98ACB7C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:09.898{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:09.898{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD932F2230DDAD5C40BA7E7E31C0883,SHA256=A531FE5BA3B3D6F47555D4FAC68A4ACEC8A44AB64FB03AF2903A62ADDB5848E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:11.002{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:11.002{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EA310D5CDA0F90B007114A0A470CB9,SHA256=6415E82FCD9F02CDCE323C9DA5AD706B07456FB56847DCA76F5CB290A6833A16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:08.549{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56383-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:12.107{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:12.107{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4D4578EF8C2EAD6CBE7C9591CE6CA8,SHA256=413741BEC45EE4E89D18CA29425DA949AF32207E8C29A5976A74293C5B6E33B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:13.111{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:13.111{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB58EC88FCC239B0FCACA7D377BD62B5,SHA256=D3ECD267070CCD3EC2D95A10D4C4AF0C194D02E5EC27599F40B963A4CB4AA68D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:14.215{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:14.215{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885F68ED5B61C8E427A4E0C34901D30D,SHA256=EEA10C4D07349FEC1DD1C1629F195EB4884F4384819B94E18E6EFC656209A4D3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:15.318{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:15.318{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661042274453848619E3C9F4A9B313E0,SHA256=AF4F3FD2F60879C90B10E32B8BD546DA87C61F851351DDFF94E5F4F2BE1302F0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:16.422{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:16.421{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD44141570E534B8C3170B7B4BFEAD0C,SHA256=B892A23C8B88C412D46C51996B46EE139D6DFF64602889DFD9A4B270ECB3DE17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:14.525{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:17.425{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:17.425{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF8805A16955B6785C7A31870689CEE,SHA256=5F04A9A7E40C910FFE2639C9C799676F4188596691BB7E1A9FA1DA6C63B44700,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:18.528{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:18.528{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0489883502A6D998AAA02471776ECC,SHA256=C4651F39C189CC71C126A82BAA6EA8C0C12E407F240395E67B8B2553F49404A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:19.632{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:19.632{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B2C35F244714952595622F8DBECB3D,SHA256=34B9C76F97750632BC6C4F5561D10075708766D3270825EFFBD2D5903E78B242,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:20.736{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:20.736{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296918802B6F91A99769F1BD8C330687,SHA256=F86CDEFFADE1ACEED4A35603D9F9C5776692EC4B6185C4EB11978C917626AF56,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:21.839{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:21.838{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BADE8E040A60AE41E6B05F434ED42B,SHA256=8FFE1F5D44B97A9B59307B96CE70F1BD4434DCA1032A2275046C790A6A958B4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:22.843{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:22.843{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC15DB7194C5F64BC7BE8821582D79A4,SHA256=347A9888C5DDC6A4C5CA5F25CB749076E810BDD0C35FB64947897F99725BE20F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:19.607{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56385-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:23.947{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:23.946{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979A4D8671601296E3B929C2518DF052,SHA256=0D2005E68C503CCC8D99415774042DC4FCB33802BCB98293AB5D373E45734F9F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:25.051{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:25.050{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A530C95FEA3036086EEB35DE1E8DDF,SHA256=6129D31FDEB930DFDBF88BECF397E3A3B5F2E172DD62DF18613A29CCC98F9FC7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:26.102{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:30:26.102 11241100x8000000000000000249674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:26.055{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:26.055{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582C0ADA710F2B6B3C8309D7D6044928,SHA256=35FB1B22EAEB6E1AC70954460BDDF943CAC709DE5192C53E06CC3E42CA611424,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:24.656{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56386-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000249677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:27.158{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:27.158{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64D5E3C82FBC1A65F4E3DDC4F2EB521,SHA256=B3C285AD29B3579FAAD8906ECCC4BA870A2837C1561B93515CDAB1D637346A2E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:28.261{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:28.261{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3299581A324D42AFA96A6533DC0BF31,SHA256=260919CE3A943722EF9BCEE18D14AB48A6B2841554D086A6CF012E58B2FD1EE0,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000249735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.626{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000249734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.625{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000249733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.624{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.623{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.469{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.467{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.467{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.465{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.462{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.461{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.461{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.461{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.445{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.444{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.443{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.443{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.443{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.443{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.442{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.442{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.440{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.440{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.440{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.437{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.437{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.437{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.437{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.436{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.436{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.436{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.436{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.436{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.436{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.436{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.435{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.435{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.435{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000249698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.435{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.434{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.433{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.431{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.431{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.431{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.431{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.430{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000249690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.430{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.429{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.429{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.429{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.429{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.429{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.428{8D845A55-2715-6260-3503-000000004402}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000249683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.365{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.364{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA9FBD17791B452892C565D06431DFA,SHA256=7497B67CC881E92220AD1FC25A8FDE6FA23AC7A06E4163CAA0FD8CE24735E1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000249681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:29.220{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6863F4E26548EBA9D02F779B2FBE0457,SHA256=5F6E7648B377A0FA0E17C3592356583AAB29832264B44AD31D80DA14DBBFED47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000249851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:27.761{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56387-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000249850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:27.761{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56387-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 534500x8000000000000000249849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.932{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000249848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.931{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000249847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.930{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.929{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.793{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.793{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.792{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.792{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.790{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.790{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.789{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.789{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.782{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000249836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.782{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.782{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.781{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.781{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.781{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.781{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.781{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.781{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.780{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.779{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.779{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.779{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.779{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.779{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.779{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.778{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000249813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.778{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000249812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.778{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000249811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.778{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.778{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000249809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.778{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000249808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.777{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.777{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.777{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000249805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.776{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.776{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.775{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.775{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.775{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000249800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.774{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.774{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.774{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.774{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.774{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.774{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.773{8D845A55-2716-6260-3703-000000004402}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000249793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.498{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.497{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D3A5CA76820968565151E844866005,SHA256=6A56506A6E99858C4261EAF2A67787E662AE9372855B2CB102EE6E417D0139C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.497{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000249790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.495{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B45776EFA380E8BB48CF7233B549CC,SHA256=D0CFAE4D0F0614A9B2B22A1F578C9289FC5BB9DF1C5442CD13255185C9992F7F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000249789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.291{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.291{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB31812A3AC8DEBA22A0A582C4D8EECD,SHA256=94AC8819B3DDA1A9E7BB1ADBEC5BB377124A6299ABAAC0B53F45371BD80F42E0,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000249787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.279{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000249786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.277{8D845A55-2716-6260-3603-000000004402}55483596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.277{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.276{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.126{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.125{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.125{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.124{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.122{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.122{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.122{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.121{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.120{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000249774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.114{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.114{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.114{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.114{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.114{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.113{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.112{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.112{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000249759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.112{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.112{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.111{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.111{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.111{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.111{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.110{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.110{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.110{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.110{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.110{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.109{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000249747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.108{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.107{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.107{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.107{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000249743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.107{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.107{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000249741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.106{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.106{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.106{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.106{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.106{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.106{8D845A55-2716-6260-3603-000000004402}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000249903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.904{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000249902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.903{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000249901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.903{8D845A55-2717-6260-3803-000000004402}48565948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.902{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.902{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000249898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.746{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.746{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.746{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.745{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.744{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.743{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.743{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.742{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.736{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.736{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.736{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.735{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.735{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.735{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.735{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.735{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.734{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.733{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.732{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.732{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.731{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.731{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.730{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.730{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000249858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.728{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.728{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.728{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.727{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.727{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.727{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:31.726{8D845A55-2717-6260-3803-000000004402}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000250009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.920{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.919{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.919{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.918{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.917{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.916{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.916{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.916{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.910{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.910{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.910{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.909{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.909{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.909{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.909{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.909{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.909{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.908{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000249975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.906{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.905{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.904{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.904{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.904{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.903{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.903{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000249968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.903{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.903{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.902{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.902{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.902{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.902{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.902{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000249961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.901{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.900{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0B941EF334AE580189120D0F637269,SHA256=152F66AB82EB8D3E568FA72D482F8F37A8C68F29B7872D07356FAAD96631BD98,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000249959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.476{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000249958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.475{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000249957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.474{8D845A55-2718-6260-3903-000000004402}16405000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.474{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000249955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.474{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000249954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.381{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.381{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C255FFA5D8C75F2784E85D0348A734,SHA256=8006CE7DFFD4DC97ABF2A776A1D97E4E2B630C4D56C1CB75016550B478819EE7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000249952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.331{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000249951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.330{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000249950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.330{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000249949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.329{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000249948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.328{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000249947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.327{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000249946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.327{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000249945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.327{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000249944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.321{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000249943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.321{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000249942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.320{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000249941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.320{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000249940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.320{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000249939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.320{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000249938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000249937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000249936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000249934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000249933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000249932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000249931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.319{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000249930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000249929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000249928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000249927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000249926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000249925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000249924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000249923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000249922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000249921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.318{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000249920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.317{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000249919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.317{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000249918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.317{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000249917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.316{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000249916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.316{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000249915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.316{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000249914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.315{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000249913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.315{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000249912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.315{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.315{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.314{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.314{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000249908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.314{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000249907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.314{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000249906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.314{8D845A55-2718-6260-3903-000000004402}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000249905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.119{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000249904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:32.118{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6966525E9E6010E0D75D8ABFB6009D3,SHA256=404A5A088177F1333323AECF77C5E87C20A14E2D43E78102E2EE1AB996655F93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:30.463{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56388-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000250073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.652{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000250072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.652{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000250071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.652{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4466dd.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.651{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF4466dd.TMP2022-04-20 15:30:33.650 11241100x8000000000000000250069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.634{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9YQGI6TRGBX143QV1KPM.temp2022-04-20 15:30:33.634 534500x8000000000000000250068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.583{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000250067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.582{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000250066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.581{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.580{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000250064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.489{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.488{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8B76079727B829B7D3A2C42D42DCEC,SHA256=A9BEBB6247CF7103CAB5098EDE990D18C20C07A394BD0825678CE91C5E0A666C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000250062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.436{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.435{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.435{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.434{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.433{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.432{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.432{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.426{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.426{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.426{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.426{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.426{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000250049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.425{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.424{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.424{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.424{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.424{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.424{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.424{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.423{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.423{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.423{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.423{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000250030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.422{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.422{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.422{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.422{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000250026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.421{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.421{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.420{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.420{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000250022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.420{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.420{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000250020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.420{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.419{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.419{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.419{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.419{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.419{8D845A55-2719-6260-3B03-000000004402}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000250014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.067{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000250013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.065{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000250012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.065{8D845A55-2718-6260-3A03-000000004402}51164948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.058{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:33.058{8D845A55-2718-6260-3A03-000000004402}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000250077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:34.624{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000250076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:34.008{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:34.007{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F727C1F6F213394DDFF2597813B796B7,SHA256=A53C0065124A1DA838572310BA5793A4D91D1976CF09FD4170D27E9065220CAF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:35.005{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:35.005{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0347C5091068CC341D28FDDBAE1FF753,SHA256=2C56663C83DE5B63764776DD4FD71305E2341AA55112E310BA02F6D72DA0D483,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:36.108{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:36.107{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3632A81584CA1059E91C47504A52437,SHA256=9A3966B1CE6BF5628DE6A324DE2AB53CEC6F2FF57B1BD22975D4DBD1CDC5DC1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:37.212{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:37.211{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07F3C9009D2637B57EA063ED1056C32,SHA256=CF3E8C853F507173EAE4616C975AF85026FF2D401A61C19CA3827C9EC9519C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:35.487{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56389-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:38.319{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:38.318{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229766496562B2E876475C2E78970B27,SHA256=0AA2420C899873E5A88FFF184B12BAC9AE270C57E4717C27EBA74D6661A741AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:39.425{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:39.425{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A899665604BDFB2826B93CB022DBE054,SHA256=A5BF5F4809C4F175C27BF024022D936A36CBDDD1C4B730944146B83B071F1659,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:40.531{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:40.530{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C3E6BCAC30F2B01FB936442C207C4A,SHA256=21B05301C038637C09941B65E81BF132F274B9598947E2D23F9BF41018D106CC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:41.634{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:41.634{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9926E9099A155D8674E1B96415DA092B,SHA256=BF8E2BFAF5C05A4E6E867A28D9C3661DB9B7CAC424305512F3D9F95343BBE7E8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:42.738{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:42.737{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0432504BA4B7AE6DC8F0F415DD417BD1,SHA256=621F6F10EE2E1B0B3CEBD480A70DAB9DA10685643ACD1E7DA872A57D6BB06852,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:43.842{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:43.842{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED8717D012EAB2B8F4AB8A916C43F32,SHA256=2C165B75DCBE733F224CC73A7D64094B94D5247F029515928066B2E532C8FD43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:44.946{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:44.946{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93183A978A263CA3E31977F35E56E52,SHA256=271F1E7435C7B1786393EFAB3264489CF991517404D448E78ACB67D28A8780B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:40.495{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56390-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:46.049{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:46.049{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D979503D6A2A962E418178F9A37ED8EE,SHA256=C49A55EFB7EBAF9596D979B982B297B28FA67EB414185F651080A52D1268E104,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:47.055{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:47.054{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABCB2E2FE3B77E40BF9CC399C728265,SHA256=478415EC6613938905788C7E82ABA66B5841307D63CB6F4E426AF40F508DD472,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:48.059{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:48.059{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D66AF1FEA9B19BE289C2A8D5C07464,SHA256=5A4F73FC27C896D3E036A48666272C8F9BA80F3BFE7FCD88ED42520D2877E78B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:49.162{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:49.162{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0785C8436642886DB732ED86F6EDFCA,SHA256=15CCFC62CB84F03DB3B307ACA534B1F2D71556F3BAA984371BE1083FBFC3A4BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:45.562{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56391-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:50.267{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:50.266{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD358BDDDAA6D26292A070A63C8B2DDA,SHA256=2F0A8F758AD9140A326787564969828483B2A1851B1D8BC90DF0108287AA6BBB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:51.269{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:51.268{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDDC2D7C56EC46047A552273517A289,SHA256=5C980E853ABDC24DFC6B31FB2ED370D9EC8237196483DED3C38BB54C288CEF44,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:52.374{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:52.374{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEE0952F7635226BC7AF776790E59DA,SHA256=F163D79438802B3921692AAB14E1D2C361959BE960FA9AD4BD2DD229B5B8CF51,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:53.477{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:53.477{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E591FA09E3D9CE33A08BDCEE7CB1F1C3,SHA256=E2F69079387C03E8BC2F1A21A12BCA7EE6CBA185CCB9A943D4FBFB3F0DE011C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000250158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.622{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15DF-6260-9400-000000004402}4324C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1200-000000004402}504C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-159D-6260-1200-000000004402}504C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.621{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E2-6260-9600-000000004402}4560C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.620{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15E1-6260-9500-000000004402}1492C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.619{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.619{8D845A55-159D-6260-0D00-000000004402}900920C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000250119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.582{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:54.581{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6940B81E2C1E87FE2A1D90AB774E3D86,SHA256=9544210BB8E2F452A114D1EB47E8A352753380843AE3F4783985CA76E8CA9008,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:50.616{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56392-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:55.881{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:55.880{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3671271082ABE4427617E3F9BA5F994,SHA256=3951CF8B52F54291F53ED925CB27766FAE5C82E3D319925FC6730F6AADE73A13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:56.903{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:56.903{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAE8CE7FDB3290743CD465E82A704C3,SHA256=4612DFDAA2B6C334AE7671B3F4411D0C61133A6A21130551916580F9F9FAFE7B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:56.108{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:30:56.108 11241100x8000000000000000250165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:58.008{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:58.008{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4D13FB6EB7BDBD283C637C97D88C31,SHA256=A1C285356A280409B4D0A7C9D44B68580844AF6316C077868736FA0C88D5D83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000250171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:59.436{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C7219E837B83317AEB574F2584AF26CF,SHA256=A1D542D87957D8C00C0B1ED8EBD94EEF27DEE72B3A6A994CCC20C4A8AE4ED8A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:59.310{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2022-04-20 14:16:57.501 23542300x8000000000000000250169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:59.310{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3DC3F5C8620E29991E97A157C4EC4359,SHA256=FE44724942C70F19AB400AC2594E6871014AD60597BB6B80F8F6EF4A24E90E45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:59.111{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:59.111{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2A1C83B1C098C9052F9DD98EE2198E,SHA256=DCE84AA35A886FBA50A2F5270237A7D7E379B39F23043553C3742019F9F274D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:30:55.654{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56393-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:00.217{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:00.216{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC0F37A7B8BB66371B439A1C9CF7101,SHA256=F4E5A7B466AD9E048ED85F8049B7408DD08AD551B613FCCC4822ED466F828D6F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:01.320{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:01.320{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5A37A7C6D9D518290102EF3C18398C,SHA256=03333781B47D731EE2DFAA9B7C6EE619DC254246EE6BA70CD00CC37B6DEB91E2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:02.424{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:02.424{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467B9D7DCB052964927AD4D37A6896B8,SHA256=2FA0F342A794017BC61D607335AB6D3758492B50B058018007E0354ACF650330,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:03.730{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:03.730{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C17237C5CA78196FA6D377B40CDE5D4,SHA256=891836462D02B864FA012748086EDFB9B3161A517EFAE98577C9E456B56AF656,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:03.532{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000250178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:03.532{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:04.739{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:04.738{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97679C95D10A0A7F24137C350A28CD1F,SHA256=BE1ECB5E026085EC0FE7AE47794C8402B55CB676602ECB473B71716B5800D8D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:05.843{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:05.843{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D405C4C52BA9315676B09856A6A93B,SHA256=EF1BE196EC07652FE72D7BF062CFF5ACFAA8480239E560B44529FEA354ABCDC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:01.927{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56395-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000250184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:01.423{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56394-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:06.947{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:06.947{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B35527FBA40FCF973DE1E157ABC1E05,SHA256=85061F0D8806172CA5C0010328ABEFC487594130DBCF695DD40C46F8DB97542E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000250192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:07.030{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-072MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:07.026{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0722022-04-20 15:31:07.026 11241100x8000000000000000250190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:07.025{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0732022-04-20 15:31:07.025 11241100x8000000000000000250195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:08.053{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:08.052{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3274919CCED013E76DE0590BEBE000D1,SHA256=57408E5CC473E556FDD75E06BACF3CBF9C10FEFC2B8194CE89EFA29E8C284819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000250193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:08.027{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-073MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:09.548{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000250198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:09.547{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A13A82A32851E21E32157B64571971EA,SHA256=CBE2E59C2B34AE9B5457D1A18EF77A8D7B42C86B22456B5D99B74F097CFDC593,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:09.056{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:09.056{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7448EEAC76E13C8363F5FBBC57F30830,SHA256=C53EF0D4432D48E35C0CEB445F8CA8F41C3E08C3209F4270E06BA6C4CB798B1E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:10.161{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:10.160{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C1BAA28C0C6A0F85ECC8202CB814BC,SHA256=8A3F60D4C3A4ACFBD67DA618968E46B3D2FC583B0F879785D039168CB93CD25A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:06.448{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56396-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:11.170{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:11.169{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3802A2A98B542F0F35C355544C64E05,SHA256=0AE789CB63E7B0AA0764FF361F04A7374D5B65A71A79EF080583BFB1751DCAA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:12.273{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:12.273{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07DB12F82073C5AC6824A5B278DD78A,SHA256=C8861F7B7FE02D1681AD8B58EE72B3CDB0B2080504CD74DA1E18F15E45FDB3A1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:13.377{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:13.376{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8F0A13DF52A1727AA91336077A83BC,SHA256=778C9679940A4FBA00C653F1B68548B9677EADCDF4D3330B8974CA66FC85AB02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:14.482{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:14.482{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0792AEB72956B3D1C9DFB6A7A91E1F,SHA256=79C4C5E70C227A30C0BE3FC23074C8A5E5C56FDEAE5E115F232F492D393B757C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:15.587{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:15.587{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29CC41C8F58E43713CDAF3FA9CDB1986,SHA256=A08305052CFEC347C2C683671F7CD0156F88D060A06EDF987049188DBC3484A2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:16.690{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:16.690{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819DF1D431CE0D874C8334819C626A93,SHA256=7623FFB700F7133D14FF8B77F8B6CBC79DD45E3764CBB3A93EC26E88BF1074B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:12.423{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56397-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:17.793{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:17.793{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9926297241A89258BA4DB19DB71170FA,SHA256=83D73D71B2AAA37493944D0BEADA4EEF5367D7A51D22D79C38B0C329FEF419AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:18.897{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:18.897{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD7631C4EA139F64ED8FFFFDCEB764,SHA256=4B1DB562C188AB8D68431594EA58FC4C0F0218FAE4C1B44005A6F550AA08CB6C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:20.201{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:20.201{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0016491142DBB0DBDC1FA0D1DFF23747,SHA256=7F0325A1D7AD886635069513F072862D0879C9350C43E6AA241E279A91039C4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:16.658{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56398-false169.254.169.254-80http 11241100x8000000000000000250225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:21.306{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:21.306{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF83AD65A733D200F3E26874B4328A4,SHA256=F7E5C240721B27CB7F65789A6E95B011B397DADDCFBF4D298DFF55FD4049AD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:17.475{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:22.408{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:22.407{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB4875B890E18796A803F4BFF765F68,SHA256=5B78E3CA3B092CFE2A6B73432C5063E0449992C221EC08415C43F7EFED55DE64,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:23.512{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:23.511{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26C7C8EA40908146EC6EA529A821C94,SHA256=51D4E0054445D8E1D8EC0EF83B031B5A893C071C7F0749BB500C57DEB56DEB02,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:24.516{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:24.515{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D269D19951217B3FFE7D387DBBBD02,SHA256=9EBBC9A1B27C4476C1F3CDBF1B63977E81E60FF7E0D4687837DC1E9317D109AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:25.620{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:25.620{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB78E2B3222B6BA9E81968B2E2E4F3DE,SHA256=5F2FBFAE33A673AE860CE3F5537782E2394EAD2717F03A3A001C2812850AA68F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:26.724{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:26.724{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747AB4D809150440C317164E8CB07788,SHA256=ECBB34813C560C9FDEEB35F21C4E172F63F472A708E22395EBA6CF930F50A7C6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:26.109{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:31:26.109 354300x8000000000000000250234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:22.501{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:27.828{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:27.828{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B2478A6E612C1397F9198876233813,SHA256=BC8007FE48411E3A9A17FD558D92137364836602D5AD9271B86BE73D6E4D82D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:28.932{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:28.931{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1BB691495A3710531473DC48D6E233,SHA256=7B7981F169D57A0140C8994F2EF3FC9E32AA6C8EFEA6239E0078010C4F99AD3A,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000250298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.591{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000250297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.590{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000250296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.589{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.589{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000250294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.472{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5E10506248714B1B5CB534959C25814F,SHA256=92146840B0207CB5FFA77D9269333666AA8CA7BE866CCC19DBF5394F055A8CF1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000250293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.446{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.446{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.445{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.445{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.443{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.443{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.443{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.440{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.434{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000250284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.433{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.433{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.433{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.433{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.432{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.430{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.430{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.429{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.429{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.429{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.429{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.429{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000250262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.428{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000250261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.427{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.427{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000250259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.427{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000250258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.427{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000250257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.427{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000250256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.426{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.426{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.426{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000250253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.425{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.425{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.425{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.424{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.424{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000250248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.424{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.424{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.423{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.423{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.423{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.423{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:29.423{8D845A55-2751-6260-3C03-000000004402}1632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000250406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.917{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000250405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.917{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000250404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.915{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.915{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000250402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.771{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.771{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.770{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.770{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.768{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.768{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.768{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.767{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.762{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.761{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.761{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.761{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000250383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.760{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.759{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.758{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.758{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.758{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.758{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.758{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000250367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.758{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000250366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.757{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.757{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.756{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.756{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000250362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.756{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.756{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000250360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.755{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.755{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.755{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.755{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.755{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.754{8D845A55-2752-6260-3E03-000000004402}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000250354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.478{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.477{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA567BA01E2D70A7CC319F7A81318082,SHA256=BAEA991AEF984E1152AD52ADEA8C29965767CD072CC91BDCB5BC27203D3A03D5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.476{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000250351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.476{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A76E2459310357B67ACDD454002A53F3,SHA256=AC116232D8D095C325FB179163007ED0FC7F5FA4DAFF740E6463797D922A4C85,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000250350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.261{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000250349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.259{8D845A55-2752-6260-3D03-000000004402}52924772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.259{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.258{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000250346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.105{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.105{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.104{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.103{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.102{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.102{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.101{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.101{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.100{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000250337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.095{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.095{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.095{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.094{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.093{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.093{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.093{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000250322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.093{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.092{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.092{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.092{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.092{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.091{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.091{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.091{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.091{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.090{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.090{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.090{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000250310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.090{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.089{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.089{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.088{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.088{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000250305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.088{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.088{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.087{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.087{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.087{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.087{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:30.087{8D845A55-2752-6260-3D03-000000004402}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000250465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.893{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000250464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.892{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000250463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.891{8D845A55-2753-6260-3F03-000000004402}56242308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.891{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.890{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000250460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.754{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.753{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.753{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.752{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.751{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.750{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.750{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.750{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.744{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.744{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.743{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.743{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.743{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.743{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000250441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.742{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.741{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.741{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.741{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.741{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.741{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.741{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.741{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.740{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.740{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.740{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.740{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.740{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.740{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000250425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.739{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.739{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.738{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.738{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.738{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000250420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.738{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.738{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.737{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.737{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.737{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.737{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.736{8D845A55-2753-6260-3F03-000000004402}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000250413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:27.762{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56402-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:27.762{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56402-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:27.601{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.266{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.265{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA7B3662EF587513C2BB6511A9A6E63,SHA256=17984960B750530308337F8FD0467B3711BB37ADC3C37C25AD44C1A8D0DD61FB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.003{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:31.003{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3126D1701B6BCE634542FEAD769119,SHA256=D19344AF8B88878D173FFDB1DD81ED492608BAEEE20E89DEA083476B9E35846E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000250567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.969{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.968{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.968{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.967{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.966{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.966{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.965{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.965{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.958{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.958{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.957{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.957{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.957{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000250547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.956{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.955{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.954{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.954{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.954{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.954{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.954{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.954{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000250532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.953{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.952{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.952{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000250529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.952{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.952{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.952{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.950{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000250525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.950{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.950{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.950{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.950{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.950{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000250520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.468{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000250519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.466{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000250518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.466{8D845A55-2754-6260-4003-000000004402}46765288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.458{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.458{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000250515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.321{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.321{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5D81852D70956EFEBCCD5290407BBA,SHA256=FDEC2B3C4D4E2EC89E88E1394850A2207648CAB8DFCC9F11A24BB04F9F7794CB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000250513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.304{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.303{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.302{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.302{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.300{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.300{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.299{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.299{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.293{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.292{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.292{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.292{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.292{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.291{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.291{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.291{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.291{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.291{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.291{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.291{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.290{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000250492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.290{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.290{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.290{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.290{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.290{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.289{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000250478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.288{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000250477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.287{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.287{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.287{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.286{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.286{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000250472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.286{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.286{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.285{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.285{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.285{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.285{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:32.285{8D845A55-2754-6260-4003-000000004402}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000250628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.823{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000250627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.822{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000250626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.820{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.820{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000250624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.643{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.643{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.642{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.642{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.640{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.640{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.639{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.633{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.633{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.633{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.633{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.633{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.633{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000250611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.632{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.631{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.631{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.631{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.631{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.631{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.631{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.630{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.628{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.628{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.628{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000250592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.627{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.627{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.627{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.627{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000250588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.626{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.626{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.625{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.625{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000250584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.625{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.625{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000250582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.624{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.624{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.624{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.624{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.624{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.623{8D845A55-2755-6260-4203-000000004402}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000250576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.362{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.362{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBA5035AF48CEA3B024D07C5B8D4382,SHA256=2D7316297FD0A357BBBE0B30567A048ACADEFEB837D7B410BF12E4E249C2CA57,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.342{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.342{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500B80774C35D92980CDFA38483C36C0,SHA256=DE2A7DCCB472D347F8C7FC361F4562F0C1A6782B559218728218D1CAFB478A42,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000250572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.105{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000250571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.104{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000250570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.104{8D845A55-2754-6260-4103-000000004402}51765212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.103{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.103{8D845A55-2754-6260-4103-000000004402}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000250630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:34.883{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:34.883{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF1717139720CA0C58CE5BEE83297DD,SHA256=4BDA6AF8E8DC0645B5AF22921C0F69B9C0BE9C7BD79CC39E9B9F2B445CB72154,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:35.978{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:35.978{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5970136ACCABFC82B00729F650EE1E,SHA256=C3B5BBEF5A8119981C797445B5CD668D2D4E9635C6430BC6AC2AEB6D90F82108,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:33.468{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56403-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:37.086{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:37.085{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1705D9A7D8A819BC4EDE666C7B488C07,SHA256=0F39230B8FD03BFE4618C14410663C0F498FC1EEF060B10F7E9C73A62FCBA33B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:38.191{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:38.191{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F794154D2D519466041AC5490F517B3F,SHA256=D1372DD969C7EA7920EBF6840BEEFEF298284F3DB81672A397523BE9BD6543E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:39.211{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:39.211{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD8166B63FA18A00791E39AA7E777CE8,SHA256=E6D1AF42F6BA6BFA1A1C2EBA14DEC49EDF104B0379D43B167F225CC06E620D37,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:40.216{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:40.216{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF17C2DA0AE9492D22E22986163BC1F9,SHA256=309518C165221058694E5AEC6EA02FD6C3B75DF17CD12413B57BE20C960BE111,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:38.468{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:41.220{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:41.220{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22E2A6F2513083A5D497EFD7E86040E,SHA256=447AB4E8FB42F42ACC373513DFB333B653A84FEAC406B687AF62DA0269F8B9E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:42.226{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:42.226{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF4A74A8ED57629C17C0FE6A138D293,SHA256=5540B1D2BF79B68C165725B24DC8503CCD7652636576D0255AAE80BCC0581468,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:43.231{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:43.231{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D44BE95AF190C9BF747205EEBC8E1A1,SHA256=E90D97CBF9F2DA3FF0664A9B442A5987E2154CD7BB0DD3630918087A8D85B2B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:44.236{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:44.235{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41109B2F536814D5BB3181ED63BD09A,SHA256=8678C369ECFFB8C4A5BBC21E58C697D6405701432131E40EA07325D009099F23,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:45.341{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:45.340{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB19326A5EDC905D478FFF11D841CA92,SHA256=DA18182349E8A2C2CA1F5206286627F03C49514CB060D8032DD83E3675DE328C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:46.444{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:46.444{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A13A32A6282F110092816424118AD9,SHA256=1076EF011DF3C650601E48B4F1B8B5923F1EB1080ED042963F7126EABB86A3AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:43.496{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56405-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:47.448{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:47.448{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E024B330CDBBD13C5F900F7ABADB2DDE,SHA256=92DBD4B48573936E7C609C5EA105A51CD365F880BBDEF7FCEBEB9DA7194E6234,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:48.550{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:48.550{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905BACFDB649E0E7E3E9B5925C1B28D5,SHA256=1B1F7DD2956EF772CA3A9EACB21A5F293E3E6FE350B7B0183E598CE7BE85B9E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:49.654{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:49.654{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C83BF61DF7203F1CE5C873A4C3F2965,SHA256=3FCC1D990574A22A564BCD6FAC289079B4FC753036124BD326CC118860B7A2DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.661{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.660{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8924BE5951A36AA8479377889828B54,SHA256=70227AF21470A51D009F89471992214DFC11D2F4884355838A5D2032EF00F7BA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000250668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:31:50.581{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\C415B540-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML 11241100x8000000000000000250667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.581{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_C415B540-0000-0000-0000-100000000000.XML.TMP2022-04-20 15:31:50.581 13241300x8000000000000000250666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:31:50.578{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Config SourceDWORD (0x00000001) 13241300x8000000000000000250665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-SetValue2022-04-20 15:31:50.578{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\34368782-AD18-41EA-9DBB-4DCA5018EFF5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML 11241100x8000000000000000250664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.578{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_34368782-AD18-41EA-9DBB-4DCA5018EFF5.XML.TMP2022-04-20 15:31:50.577 10341000x8000000000000000250663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.567{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.567{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000250676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:51.765{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:51.765{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F7D5721C8569D17DE62EBCF26D8A51,SHA256=ED2FB4DB774F82D500E8729414C662D1F513ECE556278A0A30F191EC35B0F531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000250674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:51.414{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:51.411{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:51.411{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000250671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:48.549{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.875{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.875{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8465ACA292D6C99606FDC1BD6C6A2F5,SHA256=523018784293342FD71752778340FF4D85EA49DA5EB54A0D0FF06863F4340681,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.457{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000250686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.456{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=462E1C57AD343BBCA2EB4C1894832F2B,SHA256=481C56DD05313FE8D4F3C2BAB15F085CC1AC77DBB5405C971F5F51CB5088C7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000250685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.417{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.416{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000250683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:48.993{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9890:5ff5:cd7:ffff-50343-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000250682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:48.993{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local50343-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000250681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:48.975{8D845A55-159D-6260-0D00-000000004402}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56407-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000250680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:48.975{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56407-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local135epmap 10341000x8000000000000000250679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.243{8D845A55-159B-6260-0B00-000000004402}636676C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.239{8D845A55-159B-6260-0B00-000000004402}636676C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:52.239{8D845A55-159B-6260-0B00-000000004402}636676C:\Windows\system32\lsass.exe{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000250695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:53.980{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:53.980{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD28F448EBCE7B9999596C7312C966D,SHA256=3A918F132F3D2321E68A8E92E84E36375150214B7460CFB0421AC4C4BD5660C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.644{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56409-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:50.644{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56409-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:49.815{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56408-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:49.815{8D845A55-15AE-6260-2C00-000000004402}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56408-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000250697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:55.084{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:55.084{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08D55CA968B166BA196C878CDA047F1,SHA256=3132CAFAC1BF66650F4C90869BF2E73BCBD294D3F4DE10B632E29BFEDA7E85F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:53.603{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:56.187{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:56.187{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5367289326BD04FF5BCE2BE5EFBEEB,SHA256=3D919A880CB830E3E75DB6183E315AF988AB332CA7376D47E832DE659D21A1EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:56.113{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:31:56.113 11241100x8000000000000000250703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:57.192{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:57.191{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5428237FC67DEC029E26B33E77D19B1,SHA256=9C85956C200E4037791FDF123A3695C925FA3F90DA204413D20673A04D602655,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:58.297{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:58.297{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0796432CB1E09C52E7CE8BCA24F75EFD,SHA256=18419750A46333F4DE617DB531AECD3AFECCA5BB8048A6A7D3FFE559DDCB384A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000250710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:59.669{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8FBB22D35B8B994ECE52A394CD5F231B,SHA256=1382D33974D129CF2B8D1D2F46481634B190D33FAEA2328E663BACF4EBCE5315,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:59.400{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:59.399{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CBFBC5489195E634AD14E8D66FAFA5,SHA256=F15CFFAE7B2FB5690DE564ECDEDD369F2F36D9717B91502A39F8BF758E1FB840,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:59.314{8D845A55-159D-6260-1100-000000004402}416C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2022-04-20 14:15:57.498 23542300x8000000000000000250706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:59.313{8D845A55-159D-6260-1100-000000004402}416NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5031F432AEF670F04B3020980C8EF9E2,SHA256=BA43178B538AE3A0B139150AC5A3DDF6314F44355BB8F2811F4AEA792E7131E5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:00.403{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:00.403{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2F7F7C514D9606D272C784CC69019D,SHA256=9593A37050BAA870218C698AAC290764F8F2E435099CA80DFFF0D44D3C32B9C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:01.506{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:01.506{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2182249D8887860EA418297B7C1D4A0A,SHA256=032D599FB0BC72C4051D29195D56F181D6413A9AE31618AD2C303B354BC00CDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:31:58.628{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:02.611{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:02.611{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFF9084D967CD2D9ECFDA7ED6A08E44,SHA256=FB3F4415E70DEA8C5BE8385118492500BA76F095D2DA44459BE2676766E340B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:03.717{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:03.717{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB7EE5389FF8FEFB3D6E574D6A93ACB,SHA256=446D8E7BCDDB14EBE4C31BE281B1E161AC7D41550F93E94C68D59D1227D63A27,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:03.553{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2022-04-12 13:20:00.173 23542300x8000000000000000250718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:03.551{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=05FFF3FF76A710A0F458E3D636098363,SHA256=23DCF606AD488F459E6EEC044C3A8EDA5AC21ED69138FFC21A2AC72C77BD3B13,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.823{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.822{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8F3A35E4DFE3B910501232255E0206,SHA256=FBE2285F5BD93EAA133BC81BF58FB09EE5BFF4464289F96D08FA1D213A6E0D53,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:05.835{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:05.834{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BDD056E2B2F60E2B23AC4DAD62D335,SHA256=78ACD8BAB4D282D1141A94C75600ABC1828364B1D037EA7D870AFDC76442681A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000250728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:05.748{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-1596-6260-0100-000000004402}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000250727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:05.745{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:05.651{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:05.642{8D845A55-159B-6260-0B00-000000004402}636684C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000250724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:01.942{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56412-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 11241100x8000000000000000250734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:06.939{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:06.939{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE92E33AC647973F8897654F48B2B7ED,SHA256=30899762D3FD4E35DFF11C02892978BFB6132183D41E059035F065C929AA7A74,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:06.712{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000250731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:06.712{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB4F876F5C73413D7276667CDEBA5EE6,SHA256=44985A769A104EBFBF3434AAB6E12FA4DCFAADEBFC1C6BB4D782404347D91700,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.154{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56415-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000250740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.154{8D845A55-1596-6260-0100-000000004402}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56415-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local445microsoft-ds 354300x8000000000000000250739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.060{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56414-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.060{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56414-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.052{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56413-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000250736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.052{8D845A55-159D-6260-1600-000000004402}1292C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local56413-truefe80:0:0:0:64fe:9077:35e3:965ewin-dc-ctus-attack-range-355.attackrange.local389ldap 10341000x8000000000000000250735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:07.154{8D845A55-159B-6260-0B00-000000004402}636760C:\Windows\system32\lsass.exe{8D845A55-159D-6260-1400-000000004402}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6b44|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000250747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:08.535{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\respondent-20220420141616-073MD5=8D93873C901538A8B2B909297EDAE7BB,SHA256=9423023AAA5D37B26F7EE3576993D2852CE2F95EF8E5E497C042A8474DDD26FD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:08.533{8D845A55-15B0-6260-4700-000000004402}3580C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\respondent-20220420141616-0732022-04-20 15:32:08.533 11241100x8000000000000000250745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:08.532{8D845A55-15AE-6260-2D00-000000004402}2972C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\tmp\surveyor-20220420141614-0742022-04-20 15:32:08.532 354300x8000000000000000250744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:04.624{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56416-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:08.045{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:08.045{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=686FCA0E223DBA5C40768913FF9255A5,SHA256=62DC1BB5F68E83C4E694EADFD70A62A3D3C5A6A4DB780F7C427DAEDCFFA44BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000250750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:09.534{8D845A55-15AE-6260-2D00-000000004402}2972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0290f7bfe64a40509\channels\health\surveyor-20220420141614-074MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:09.051{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:09.051{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C24A652B131568622CDBCEDAAA310A,SHA256=CF9885F47015A7D60F2B954B986DF3F64197712D71C9D25F9FC29FB04917F2AA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:10.157{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:10.157{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AFDE4BBAF8A0EAB3268DABAB22B6B70,SHA256=B108AB088698DE6A4F986CA40092BF7BF3136644CC18E62C3C94D249FC34E4B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:11.162{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:11.162{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E01B6B82E20E672C92BED0E46CA20E,SHA256=1B335B86B492B9CB9FBA2594387CE5F6681658706E907E5D2C3BA188AB3FD85F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:12.266{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:12.265{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36479B067E958FAFF36D8A36AF81728,SHA256=9017AD853142B16049B547AA2A03CCD5C19E5C8EC18AAA9EE31BB1228166347A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:13.369{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:13.368{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8B65D8F492BD249796DB1F5E730CC44,SHA256=7256AB4E48F3C451D29AC33C934FAAA3E49CF0772A58245015713F0EC0752640,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:10.580{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56417-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:14.375{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:14.375{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787E1B0C3E9046F30D75067F32B66BE1,SHA256=0823C0D2C561917091D89556AB690249711F97BBEB83F86DE12056C6A7ABB16A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:15.478{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:15.478{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B01E23CB05C4D4BD35D9D436C55648E,SHA256=7AB1AB697B6519C5EAA4185EBCB40F52B60608C7E5CA356B9302142DC05DEED9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:16.581{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:16.581{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAA1F951B458039DFD5CB712ECE09B3,SHA256=29D3657BFF315168D20069C4F9FDC60A2060A969D6AE726A44A7492FE93D1C6B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:17.690{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:17.689{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F48F46FA0DB9577C48366B1D4314F31,SHA256=373EC4D824D40D8390382450AA839830DBC23BEB9D1B2DB767F1848A22EE079E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:17.539{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000250766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:17.539{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6BC92B35B8701A65CD62F06AC950112,SHA256=A026184786C99AA3AE416DAD6391F4D40225185D269007BA3DA9402AC52A5682,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:18.795{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:18.794{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B735D46E6F116B4279EC68B76F111023,SHA256=46984B9DEFD5A510E3FE58B56AD6EA9760AEC0931AFB525E134B1699059C912C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:19.897{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:19.897{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E872C4D18B2FF1D9C49A8E4BC8BC82B,SHA256=D9BB9616605A65A283DDC677148203A343CBBDEF41D634CDEA20125D12ED4F65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:16.495{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56418-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:21.004{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:21.004{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DBE8C746A970E4A3CE516F0D820F0B,SHA256=D1600206D7EE0101134CD4599D8DA50A992F5CE65E2306ECD281BA48614D7CD3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:22.106{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:22.105{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CAC6D00847CB9DB7AAB51F1B4F4ECF,SHA256=820CC4047F74090ECC8354173256D75CEBC4CA47EE04333F505143199D793D39,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.209{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.208{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3AAEC3379D0C0C357F702C647306B1C,SHA256=B0F87DA243C416C98685D2ABB9A49F2357D2F332F933911B69B6378BA1207F43,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:24.313{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:24.312{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D04CD5ADA5BC81802EC5CFE76899F8,SHA256=8C592509A7E2C9280144EF077470CED56584C8BBD4FB4884A1A6FACEB9C30989,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.114{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local58359- 354300x8000000000000000250830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.113{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local58853- 354300x8000000000000000250829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.110{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local52144- 354300x8000000000000000250828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.109{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56860- 354300x8000000000000000250827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.100{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local58236- 354300x8000000000000000250826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.100{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local60550- 354300x8000000000000000250825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.099{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local60895- 354300x8000000000000000250824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.097{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local55492- 354300x8000000000000000250823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.096{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local58578- 354300x8000000000000000250822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.094{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local51476- 354300x8000000000000000250821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.093{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local54750- 354300x8000000000000000250820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.092{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local59098- 354300x8000000000000000250819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.092{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local52155- 354300x8000000000000000250818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.090{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56026- 354300x8000000000000000250817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.089{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53992- 354300x8000000000000000250816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.089{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local65535- 354300x8000000000000000250815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.088{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local60071- 354300x8000000000000000250814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.087{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local51483- 354300x8000000000000000250813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.086{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local55114- 354300x8000000000000000250812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.084{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local50343- 354300x8000000000000000250811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.084{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local52138- 354300x8000000000000000250810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.083{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local51823- 354300x8000000000000000250809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.082{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local60156- 354300x8000000000000000250808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.081{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local52673- 354300x8000000000000000250807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.080{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local59941- 354300x8000000000000000250806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.079{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local54858- 354300x8000000000000000250805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.077{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local59787- 354300x8000000000000000250804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.076{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local60881- 354300x8000000000000000250803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.076{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local50343- 354300x8000000000000000250802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.075{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local61110- 354300x8000000000000000250801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.074{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local65535- 354300x8000000000000000250800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.073{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local59976- 354300x8000000000000000250799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.072{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56314- 354300x8000000000000000250798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.071{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local54905- 354300x8000000000000000250797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.070{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local58045- 354300x8000000000000000250796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.070{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local52068- 354300x8000000000000000250795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.069{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local60034- 354300x8000000000000000250794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.069{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local60034-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domain 354300x8000000000000000250793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.068{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local54058- 354300x8000000000000000250792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.068{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local54058-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domain 354300x8000000000000000250791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.061{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56421-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local49666- 354300x8000000000000000250790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.061{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56421-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local49666- 11241100x8000000000000000250789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:25.667{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000250788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:25.667{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5E88FCBD57FE3300E2B0A4013D8C13C,SHA256=710B4AF6CE40F16B4F3D112535EACFBE3493A728D0C0DB6A8E01E0ADA27CEA83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:22.239{8D845A55-159D-6260-0D00-000000004402}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56420-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000250786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:22.239{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56420-false10.0.1.14win-dc-ctus-attack-range-355.attackrange.local135epmap 354300x8000000000000000250785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:21.528{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56419-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000250784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:25.316{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:25.316{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDA6D583BD5501DD65A397C258004DC,SHA256=39652743CB4792A6D7CB93D308E64DC8D2E1F71284D0673B4A2B22A993AFD018,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:26.762{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:26.762{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73927CDAD89B5B00BED539A6CD7491B3,SHA256=0CDE017AC727599ED63EE51FDBB0DE06AFCE831C24A267A88E48D9BE965C7501,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.120{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local58695- 354300x8000000000000000250835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.118{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56094- 354300x8000000000000000250834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.118{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56629- 354300x8000000000000000250833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.115{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local50418- 11241100x8000000000000000250832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:26.111{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.log2022-04-20 15:32:26.111 11241100x8000000000000000250841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:27.438{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:27.438{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3D764D37AE454E468E0AAA55991A57,SHA256=4D9575C94C52CEB12DB1A4B0929E406C9F4227A95F0581EACDB22BE5F91248A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000250839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:23.120{8D845A55-15AE-6260-3100-000000004402}2344C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local53278- 11241100x8000000000000000250843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:28.541{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:28.541{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C6F65667D4E6FDC6A5A5A31DCD9930,SHA256=7DAAFC32515DF5C32EAD05A1B6424D0A69CACF5EAB546856915915FADDB58B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000250899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.898{8D845A55-15AE-6260-2E00-000000004402}3040NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=22EA74BEDB01E923522C555A193520A0,SHA256=F2EC179F942B599B126D0093CD6E0C48B076CD2A5325775AB8469301370DDFCE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000250898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.815{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000250897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.815{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3053A0AE4DCE8904C0600A516F207A66,SHA256=E5B0E3B36AD3547513906C78EDAD30DCD0769E45634993FF8B9DD542B786E25F,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000250896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.588{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x8000000000000000250895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.587{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000250894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.586{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.585{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000250892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.440{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.439{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.439{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.438{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.437{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.437{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.436{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.436{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.430{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.430{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.429{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.429{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.429{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000250873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.428{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.427{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.426{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.426{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.426{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000250858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.426{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.426{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000250856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.425{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.425{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.424{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.424{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.424{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000250851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.424{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.424{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.423{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.423{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.423{8D845A55-159A-6260-0500-000000004402}4204820C:\Windows\system32\csrss.exe{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.423{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:29.423{8D845A55-278D-6260-4303-000000004402}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000250844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:26.565{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56422-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000251009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.913{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x8000000000000000251008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.912{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000251007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.911{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000251006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.909{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000251005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.835{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.835{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25D9278D047B3DEEB6AB11B1146BA2F,SHA256=2423ABF6F367A51725119606F539E45301571BD83A548F13157548F3312EE39D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000251003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.772{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000251002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.771{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000251001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.771{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000251000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.770{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.769{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.769{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.768{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.768{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.762{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000250994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.762{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.761{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.761{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.761{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.761{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.760{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000250974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.759{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.758{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000250971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.758{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.758{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000250969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.758{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000250968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.758{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000250967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.758{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000250966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.757{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.757{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.757{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000250963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.756{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.756{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.755{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.755{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.755{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000250958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.755{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.754{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.754{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.754{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.754{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.754{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.754{8D845A55-278E-6260-4503-000000004402}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000250951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.282{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x8000000000000000250950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.281{8D845A55-278E-6260-4403-000000004402}60844440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.280{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000250948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.280{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000250947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.110{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000250946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.110{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000250945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.109{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000250944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.108{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000250943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.107{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000250942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.107{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000250941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.106{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000250940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.106{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000250939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.105{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000250938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.100{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000250937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.099{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000250936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.099{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000250935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.099{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000250934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.099{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000250933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.099{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000250932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.099{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000250931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000250930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000250929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000250928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000250927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000250926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000250925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000250924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.098{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000250923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.097{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000250922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.097{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000250921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.097{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000250920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.097{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000250919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.096{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000250918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.096{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000250917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.096{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000250916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.096{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000250915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.095{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000250914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.095{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000250913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.094{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.094{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000250911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.094{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000250910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.093{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000250909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.093{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000250908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.092{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000250907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.092{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000250906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.092{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.092{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.091{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.091{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000250902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.091{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000250901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.091{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000250900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:30.091{8D845A55-278E-6260-4403-000000004402}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000251067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.903{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000251066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.902{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000251065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.902{8D845A55-278F-6260-4603-000000004402}57002780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.901{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000251063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.901{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000251062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.857{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.856{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79F143CB5B43EE2BEC27557B0BDA3E0,SHA256=607D3C9024EB14CB97101750B02A047E59919E4260DAE3973D6FCF785EBBE287,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.784{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2022-04-12 13:19:12.909 23542300x8000000000000000251059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.784{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7A6623AD772FA7F657EA63D09CA23AB,SHA256=ECB2959C2BA0E92DD54F028DEE433D91405542D7E729846C573A65F42BE63927,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000251058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.755{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000251057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.754{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000251056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.754{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000251055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.753{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000251054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.752{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000251053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.752{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000251052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.751{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000251051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.751{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000251050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.745{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000251049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.745{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000251048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.744{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000251047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.744{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000251046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.744{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000251045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.743{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000251044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.743{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000251043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.743{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000251042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.743{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000251041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.743{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000251040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.743{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000251039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.743{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000251038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000251037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000251036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000251035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000251034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000251033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000251032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000251031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000251030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000251029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000251028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.742{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000251027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.741{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000251026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.741{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000251025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.741{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000251024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.741{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000251023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.740{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.740{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000251021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.739{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000251020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.739{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000251019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.739{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000251018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.738{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.738{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.738{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.738{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.738{8D845A55-159A-6260-0500-000000004402}420436C:\Windows\system32\csrss.exe{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000251013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.738{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000251012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.738{8D845A55-278F-6260-4603-000000004402}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000251011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:27.775{8D845A55-159B-6260-0B00-000000004402}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56423-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 354300x8000000000000000251010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:27.775{8D845A55-15AE-6260-2B00-000000004402}2952C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local56423-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-355.attackrange.local389ldap 11241100x8000000000000000251121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.880{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.877{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D552AB71464A3E2BFD5CA69D810E51F2,SHA256=C1FB2EE4FBAF8466B753807B0A5890E6C199E99157D0B2AC1AB943BA6966CD03,IMPHASH=00000000000000000000000000000000falsetrue 534500x8000000000000000251119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.568{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x8000000000000000251118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.567{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000251117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.566{8D845A55-2790-6260-4703-000000004402}23245524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.566{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000251115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.565{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000251114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.421{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000251113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.420{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000251112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.420{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000251111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.419{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000251110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.418{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000251109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.418{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000251108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.417{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000251107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.417{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000251106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.411{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000251105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.411{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000251104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.410{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000251103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.410{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000251102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.410{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000251101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.410{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000251100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.410{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000251099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.409{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000251098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.409{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000251097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.409{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000251096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.409{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000251095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.409{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000251094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.409{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000251093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.409{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000251092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000251091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000251090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000251089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000251088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000251087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000251086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000251085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.408{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000251084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.407{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000251083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.407{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000251082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.407{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000251081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.407{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000251080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.407{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000251079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.406{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.406{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000251077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.405{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000251076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.405{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000251075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.405{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000251074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.404{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.404{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.404{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.404{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.404{8D845A55-159A-6260-0500-000000004402}420536C:\Windows\system32\csrss.exe{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000251069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.404{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000251068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:32.403{8D845A55-2790-6260-4703-000000004402}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x8000000000000000251233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.909{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x8000000000000000251232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.908{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000251231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.907{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000251230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.907{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 11241100x8000000000000000251229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.897{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.897{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE81B836BA0F23722844B8A374C2226,SHA256=4E0AAD7AE900AD1EE75F968B38E5E954A55200DBC48415638EBDC5A01AA71CAA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000251227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.757{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000251226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.756{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000251225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.756{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000251224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.756{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000251223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.754{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000251222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.754{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000251221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.754{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000251220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.748{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000251219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.747{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000251218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.747{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000251217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.747{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000251216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.747{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000251215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.747{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000251214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.747{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000251213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4704 (rs1_release.211004-1917)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=FBB483E6A34C0E6772984FD93573CB4A,SHA256=170792721871CF37C76CD2F662DFE92568E2EBDC45075B974D2125249BB6398D,IMPHASH=396555AAEAB1402915E17EE8C257B7CFtrueMicrosoft WindowsValid 734700x8000000000000000251212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000251211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000251210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000251209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000251208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000251207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000251206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000251205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.746{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000251204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.745{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000251203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.745{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000251202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.745{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000251201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.745{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000251200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.745{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000251199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.744{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000251198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.744{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000251197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.744{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000251196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.744{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000251195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.743{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000251194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.743{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000251193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.743{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000251192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.742{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000251191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.742{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.741{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000251189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.741{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.741{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000251187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.740{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.740{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000251185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.740{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000251184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.739{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.739{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.739{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000251181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.739{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000251180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.739{8D845A55-2791-6260-4903-000000004402}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000251179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.646{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+af4a0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000251178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.646{8D845A55-15DF-6260-9400-000000004402}43242492C:\Windows\Explorer.EXE{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+aef81|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800B9E62B58)|UNKNOWN(FFFFFDB12ECA5B88)|UNKNOWN(FFFFFDB12ECA5D07)|UNKNOWN(FFFFFDB12ECA0391)|UNKNOWN(FFFFFDB12ECA1D5A)|UNKNOWN(FFFFFDB12ECA0016)|UNKNOWN(FFFFF800B9B78503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+b2cfb|C:\Windows\System32\SHELL32.dll+5360a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000251177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.646{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF463b8d.TMPMD5=DD8C29AAE0A45C3822ADE0E7CA84C037,SHA256=448C743772008F1A6623E6915E6111011845DFE3385A89996681D81E97DA526D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.644{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF463b8d.TMP2022-04-20 15:32:33.644 11241100x8000000000000000251175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.641{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z7F1M0X0XJZ7MYQOV9X2.temp2022-04-20 15:32:33.641 534500x8000000000000000251174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.238{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x8000000000000000251173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.236{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000251172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.236{8D845A55-2791-6260-4803-000000004402}13125824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.229{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000251170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.229{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000251169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.093{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000251168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.093{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000251167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.092{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000251166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.091{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FB,IMPHASH=B15A9E7274075AC5A54930989FAC32E4trueMicrosoft WindowsValid 734700x8000000000000000251165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.090{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000251164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.090{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=001C755958B4216CE8E4277273CF9A35,SHA256=46C4BEA93D30D2D9E622D981AC874B7E0B1A1204BA5D1EEE1ECA7B4E360E6B56,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000251163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.089{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000251162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.089{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5006 (rs1_release.220301-1704)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F00A9E801A540DD523162523F1B23E5D,SHA256=A76A07EDCD042C9123CC9E1438E517540302401C01145BF3D0205C51A5231B8A,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000251161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.083{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000251160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.082{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000251159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.082{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000251158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.082{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000251157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.081{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=A9D9CF5B5FD3E1D15724B39C1EAF20AE,SHA256=EA7E52ACB9E23D08A2290F2685E90BA2F87826685BD5BA2B3B12676FB3CA4989,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000251156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.080{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000251155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.080{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000251154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.080{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76E,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000251153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.080{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000251152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.080{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000251151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.080{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000251150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000251149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000251148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000251147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000251146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000251145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5006 (rs1_release.220301-1704)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=15F8A053D1C107CE7541C176245D41F2,SHA256=57C20DA6894F71C7252D71CC40FFADAAD6FA47CBC0EFA6C6F85F899F5E72C9A9,IMPHASH=154EA5DE40F0F2475E943DE8013E5692trueMicrosoft WindowsValid 734700x8000000000000000251144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000251143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000251142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000251141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.079{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000251140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.078{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000251139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.078{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000251138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.078{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000251137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.078{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000251136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.078{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000251135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.078{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000251134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.078{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000251133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.077{8D845A55-15AF-6260-3A00-000000004402}32923312C:\Windows\system32\conhost.exe{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.076{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5006 (rs1_release.220301-1704)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=82A6381DD5A8F0E41E0DD8F382612A81,SHA256=EB5D7DD96CEF7AE80B40F63272584FD483967135C4BCEAE697528004A238923C,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000251131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.076{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412F,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000251130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.076{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000251129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.076{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000251128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.076{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000251127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.075{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.075{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.075{8D845A55-159C-6260-0C00-000000004402}844100C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-2F00-000000004402}1212C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a523|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52cfc|C:\Windows\System32\RPCRT4.dll+358a4|C:\Windows\System32\RPCRT4.dll+347bd|C:\Windows\System32\RPCRT4.dll+3506b|C:\Windows\System32\RPCRT4.dll+20e5c|C:\Windows\System32\RPCRT4.dll+212dc|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a58a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.075{8D845A55-159A-6260-0500-000000004402}420356C:\Windows\system32\csrss.exe{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000251123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.075{8D845A55-15AE-6260-2E00-000000004402}30403752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b346|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000251122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:33.075{8D845A55-2791-6260-4803-000000004402}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8D845A55-159B-6260-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{8D845A55-15AE-6260-2E00-000000004402}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000251240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:34.992{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:34.991{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD23CA6BE8BEAAF84236EF216365788D,SHA256=92EA6112E40AFCD7F99EB6F629F9DA68AE31ADFC670A88B01D256E7B6966F89C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000251238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:34.629{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-15AE-6260-3000-000000004402}2368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000251237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:34.629{8D845A55-159D-6260-0D00-000000004402}9005648C:\Windows\system32\svchost.exe{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000251236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:31.603{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56424-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000251235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:34.130{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:34.129{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E10747350F36320BDB48737A2A86B61,SHA256=63C1372A29639939AC6C8FEF74C21FA07BE71D96523E3DFBBB561C4982101C1C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:36.096{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:36.095{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3262FDBA6BF3591F85E68D4398894E89,SHA256=755DD7155F3944F25492943902D0FF394D524E3C5CC34AC15AE3B2106C25C89C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:37.106{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:37.106{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CCB6B9EA185E14109CDD77561F3BC7,SHA256=0C0798D0E29BF8159D875FD93AE135B49CF88DF469EA24FA317D0B7641360FD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:38.211{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:38.211{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DCF78EABFC668C51910DEF3E36ED8F,SHA256=098B35768850CE5C0C2513C0AE9C44226E666B633DC18C361B1A2BDD0F47D9F5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:39.315{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:39.314{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FED407FBB7BBBB28E24C0031D622CFD,SHA256=887F0B2DA76045B5F77B7CD0329EF68DF6FB852E1976353EA87269AFD84200C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000251251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:37.592{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56425-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x8000000000000000251250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:40.317{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:40.317{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1930878D99F2559B1C191285777A3EAA,SHA256=E9E2ECC3E9013CDE7171F59A93834C3A8C6AD88223818A4B4F3784DA4D10034D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:41.422{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:41.422{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34F2D41138C25774BFFA9DC56B95303,SHA256=45737BD58608B0244A0F9A5620467FC648D3E0AE641DA405F4AF4839C42F83CB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:42.526{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:42.526{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB572CA21584B6435C10BDEC9F144A92,SHA256=3D3244628A04F7362347BE09606D81EC482C8AFD4E8CC08AC807395E45E067F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:43.630{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:43.630{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A49205801BD734368336D35C44D020,SHA256=ADAB18144DCEFAB09BD840804B09AC1AD2123C63707060E79170B65176B533E9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:44.735{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:44.734{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAF3169EC9DF28283921BC0CB511D4C,SHA256=A71AC533FC77358B2D5925F23FE28A34DDB41E331D3D169DD2FB6F5F9688E2B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:45.840{8D845A55-15C1-6260-8300-000000004402}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2022-04-12 13:22:35.754 23542300x8000000000000000251262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:45.840{8D845A55-15C1-6260-8300-000000004402}776NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=577AEB55BCFE8FE009219BFE98951417,SHA256=A9B8DA4FDD9CC39F83B36A75724EB72166E144B8C1619CB9179913386A821D5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000251261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:45.586{8D845A55-1AE7-6260-9101-000000004402}6032C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.bin2022-04-12 13:31:22.993 23542300x8000000000000000251260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:45.585{8D845A55-1AE7-6260-9101-000000004402}6032ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1huziwj5.default-release\datareporting\glean\db\data.safe.binMD5=A3C6E1A1FBD31B669FD33BE244763289,SHA256=C6138999029C31E13BA15089271C50C988044A2D3912442A9A92AFA70A64D22C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000251264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-355.attackrange.local-2022-04-20 15:32:42.604{8D845A55-15B9-6260-7900-000000004402}3332C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-355.attackrange.local56426-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-